CVE-2025-21614Uncontrolled Resource Consumption in Go-git Go-git V5

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-20Improper Input Validation9 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 55.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Github.com Go-git Go-git V5Go-git Project Go-gitDebian Golang-github-go-git-go-git+4 more
Timeline
PublishedJan 6
Latest updateMar 12

Description

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDgo-git_project/go-git< 5.13.0
debiandebian/golang-github-go-git-go-git< golang-github-go-git-go-git 5.13.2-1 (forky)
Gogithub.com/go-git_go-git4.0.04.13.1
Gogopkg.in/src-d_go-git.v44.0.04.13.1+1

🔴Vulnerability Details

5
OSV
golang-github-go-git-go-git vulnerabilities2026-03-12
OSV
Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git2025-01-07
OSV
CVE-2025-21614: go-git is a highly extensible git implementation library written in pure Go2025-01-06
GHSA
go-git clients vulnerable to DoS via maliciously crafted Git server replies2025-01-06
OSV
go-git clients vulnerable to DoS via maliciously crafted Git server replies2025-01-06

📋Vendor Advisories

3
Ubuntu
go-git vulnerabilities2026-03-12
Red Hat
go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies2025-01-06
Debian
CVE-2025-21614: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. A d...2025