CVE-2026-25934
published 2026-02-09CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity…
PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.14%
3.4th percentile
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-go-git-go-git | < golang-github-go-git-go-git 5.17.0-1 (forky) | golang-github-go-git-go-git 5.17.0-1 (forky) |
| github.com | go-git_go-git_v5 | >= 0 < 5.16.5 | 5.16.5 |
| go-git | go-git | < 5.16.5 | 5.16.5 |
| go-git_project | go-git | < 5.16.5 | 5.16.5 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
go-git vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2025-21613 [HIGH] go-git vulnerabilities
Title: go-git vulnerabilities
Summary: Several security issues were fixed in go-git.
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with
Red Hat
go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
vendor_redhat·2026-02-09·CVSS 4.3
CVE-2026-25934 [MEDIUM] CWE-354 go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not b
Debian
CVE-2026-25934: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. Pri...
vendor_debian·2026·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. Pri...
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Scope: local
bookworm: open
forky:
OSV
golang-github-go-git-go-git vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2023-49568 [HIGH] golang-github-go-git-go-git vulnerabilities
golang-github-go-git-go-git vulnerabilities
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
OSV
Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
osv·2026-02-19
CVE-2026-25934 Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
OSV
go-git improperly verifies data integrity values for .idx and .pack files
osv·2026-02-10
CVE-2026-25934 [MEDIUM] go-git improperly verifies data integrity values for .idx and .pack files
go-git improperly verifies data integrity values for .idx and .pack files
### Impact
A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`.
For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both fil
GHSA
go-git improperly verifies data integrity values for .idx and .pack files
ghsa·2026-02-10
CVE-2026-25934 [MEDIUM] CWE-354 go-git improperly verifies data integrity values for .idx and .pack files
go-git improperly verifies data integrity values for .idx and .pack files
### Impact
A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`.
For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both fil
OSV
CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go
osv·2026-02-09·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-25934 go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
bugzilla·2026-02-09·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934 go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
CVE-2026-25934 go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both f
Wiz
CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24117 [MEDIUM] CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24117 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technol
Wiz
CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25934 :
Packer vulnerability analysis and mitigation
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This v
Wiz
CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22873 :
Datadog Agent vulnerability analysis and mitigation
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Source : NVD
## 3.8
Score
Published February 4, 2026
Severity LOW
CNA Score 3.8
Affected Technologies
Datadog Agent
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
container-tools:rhel8::runc
containerd-1
Sources
Alpine 3.1
Wiz
CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-24137 [MEDIUM] CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24137 :
Datadog Agent vulnerability analysis and mitigation
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffecte
Wiz
CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-22703 [MEDIUM] CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22703 :
Datadog Agent vulnerability analysis and mitigation
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by includin
Wiz
CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23831 [MEDIUM] CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23831 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Source : NVD
## 5.3
Score
Pub
2026-02-09
Published