cbcvebase.
CVE-2025-21613
published 2025-01-06

CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.24%
65.4th percentile
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiangolang-github-go-git-go-git< golang-github-go-git-go-git 5.13.2-1 (forky)golang-github-go-git-go-git 5.13.2-1 (forky)
github.comgo-git_go-git_v4>= 4.0.0
github.comgo-git_go-git_v5>= 0 < 5.13.05.13.0
go-gitgo-git
go-git_projectgo-git< 5.13.05.13.0
gopkg.insrc-d_go-git.v44.0.0 – 4.13.1
gopkg.insrc-d_go-git.v4>= 4.0.0
msrcazl3_packer_1.9.5-5_on_azure_linux_3.0
msrcazl3_packer_1.9.5-6_on_azure_linux_3.0
msrccbl2_cri-o_1.22.3-12_on_cbl_mariner_2.0
msrccbl2_packer_1.9.5-5_on_cbl_mariner_2.0
msrccbl2_packer_1.9.5-7_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Argument injection occurs exclusively when the file transport protocol is used in go-git, as it is the only protocol that shells out to git binaries — monitor for unexpected git-upload-pack invocations with anomalous flag values originating from go-git-based applications
  • Detect argument injection attempts by monitoring the URL field passed to go-git for values that include flag-like strings (e.g., leading dashes) that could be forwarded as git-upload-pack arguments
  • Flag any go-git process spawning git-upload-pack with unexpected or injected flag arguments — this is the direct exploitation path for CVE-2025-21613
  • ·Vulnerability only affects go-git deployments using the file transport protocol; SSH and HTTP/HTTPS transport protocols are not affected
  • ·If upgrading is not immediately possible, enforce validation rules on values passed in the URL field as a temporary mitigation

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
osv9.2CRITICAL
vendor_debian9.2CRITICAL
vendor_redhat9.2CRITICAL
vendor_msrc8.1HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.