Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-m4t6-vddc-3bfw
Summary
go-git: Maliciously crafted idx file can cause asymmetric memory consumption
### Impact

A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. 

### Patches

Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.

### Credit

The go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.
Aliases
0
alias CVE-2026-34165
1
alias GHSA-jhf3-xxhw-2wpp
Fixed_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
purl pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
1
url pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie
2
url pkg:golang/github.com/go-git/go-git/v5@5.17.1
purl pkg:golang/github.com/go-git/go-git/v5@5.17.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.17.1
Affected_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
1
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie
2
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
3
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34165
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02244
published_at 2026-04-18T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02234
published_at 2026-04-16T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02252
published_at 2026-04-13T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02158
published_at 2026-04-04T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02262
published_at 2026-04-08T12:55:00Z
5
value 0.00013
scoring_system epss
scoring_elements 0.0226
published_at 2026-04-07T12:55:00Z
6
value 0.00013
scoring_system epss
scoring_elements 0.02254
published_at 2026-04-12T12:55:00Z
7
value 0.00013
scoring_system epss
scoring_elements 0.02266
published_at 2026-04-11T12:55:00Z
8
value 0.00013
scoring_system epss
scoring_elements 0.02094
published_at 2026-04-02T12:55:00Z
9
value 0.00013
scoring_system epss
scoring_elements 0.02284
published_at 2026-04-09T12:55:00Z
10
value 5e-05
scoring_system epss
scoring_elements 0.00285
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34165
2
reference_url https://github.com/go-git/go-git
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/go-git/go-git
3
reference_url https://github.com/go-git/go-git/releases/tag/v5.17.1
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/
url https://github.com/go-git/go-git/releases/tag/v5.17.1
4
reference_url https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/
url https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34165
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34165
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584
reference_id 1132584
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2453379
reference_id 2453379
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2453379
Weaknesses
0
cwe_id 191
name Integer Underflow (Wrap or Wraparound)
description The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
1
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-m4t6-vddc-3bfw