cbcvebase.
CVE-2026-25934
published 2026-02-09

CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity…

PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.14%
3.4th percentile
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiangolang-github-go-git-go-git< golang-github-go-git-go-git 5.17.0-1 (forky)golang-github-go-git-go-git 5.17.0-1 (forky)
github.comgo-git_go-git_v5>= 0 < 5.16.55.16.5
go-gitgo-git< 5.16.55.16.5
go-git_projectgo-git< 5.16.55.16.5

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.