Github.Com Go-Git Go-Git V5 vulnerabilities

CVE-2026-34165 [MEDIUM] CWE-191 go-git: Maliciously crafted idx file can cause asymmetric memory consumption go-git: Maliciously crafted idx file can cause asymmetric memory consumption ### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it orde

CVE-2026-33762 [LOW] CWE-129 go-git missing validation decoding Index v4 files leads to panic go-git missing validation decoding Index v4 files leads to panic ### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format v

CVE-2026-25934 [MEDIUM] CWE-354 go-git improperly verifies data integrity values for .idx and .pack files go-git improperly verifies data integrity values for .idx and .pack files ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfil

CVE-2025-21613 [CRITICAL] CWE-88 go-git has an Argument Injection via the URL field go-git has an Argument Injection via the URL field ### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol t

CVE-2025-21614 [HIGH] CWE-20 go-git clients vulnerable to DoS via maliciously crafted Git server replies go-git clients vulnerable to DoS via maliciously crafted Git server replies ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. This is a `go-git` imple

CVE-2023-49569 [CRITICAL] CWE-22 Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients ### Impact A path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected

CVE-2023-49568 [HIGH] CWE-20 Maliciously crafted Git server replies can cause DoS on go-git clients Maliciously crafted Git server replies can cause DoS on go-git clients ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. Applications using only the in-mem