Go-Git Project Go-Git vulnerabilities

CVE-2026-34165 [MEDIUM] CWE-191 CVE-2026-34165: go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires wr

CVE-2026-33762 [LOW] CWE-129 CVE-2026-33762: go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-g go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic duri

CVE-2026-25934 [MEDIUM] CWE-354 CVE-2026-25934: go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vuln go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not foun

CVE-2025-21613 [CRITICAL] CWE-88 CVE-2025-21613: go-git is a highly extensible git implementation library written in pure Go. An argument injection v go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, a

CVE-2025-21614 [HIGH] CWE-400 CVE-2025-21614: go-git is a highly extensible git implementation library written in pure Go. A denial of service (Do go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients

CVE-2023-49569 [CRITICAL] CWE-22 CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/os

CVE-2023-49568 [HIGH] CWE-20 CVE-2023-49568: A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulne A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are no