CVE-2026-25934 — Improper Validation of Integrity Check Value in Go-git

CWE-354 — Improper Validation of Integrity Check Value15 documents7 sources

Severity

4.3MEDIUMNVD

OSV7.5

EPSS

0.0%

top 99.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-git Github.com Go-git Go-git V5 Go-git Project Go-git +1 more

Timeline

PublishedFeb 9

Latest updateMar 12

Description

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform inte…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5go-git/go-git< 5.16.5

▶NVDgo-git_project/go-git< 5.16.5

▶Gogithub.com/go-git_go-git_v5< 5.16.5

▶debiandebian/golang-github-go-git-go-git< golang-github-go-git-go-git 5.17.0-1 (forky)

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

golang-github-go-git-go-git vulnerabilities↗2026-03-12

▶

OSV

Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git↗2026-02-19

▶

OSV

go-git improperly verifies data integrity values for .idx and .pack files↗2026-02-10

▶

GHSA

go-git improperly verifies data integrity values for .idx and .pack files↗2026-02-10

▶

OSV

CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go↗2026-02-09

▶

📋Vendor Advisories

Ubuntu

go-git vulnerabilities↗2026-03-12

▶

Red Hat

go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files↗2026-02-09

▶

Debian

CVE-2026-25934: golang-github-go-git-go-git - go-git is a highly extensible git implementation library written in pure Go. Pri...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶