Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-62r9-cvp9-tfbg
Summary
go-git missing validation decoding Index v4 files leads to panic
### Impact

`go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.

An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory.

### Patches

Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.

### Credit

go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.
Aliases
0
alias CVE-2026-33762
1
alias GHSA-gm2x-2g9h-ccm8
Fixed_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
purl pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1
1
url pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie
2
url pkg:golang/github.com/go-git/go-git/v5@5.17.1
purl pkg:golang/github.com/go-git/go-git/v5@5.17.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.17.1
Affected_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
1
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie
2
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
3
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33762.json
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33762.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33762
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02157
published_at 2026-04-02T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02249
published_at 2026-04-04T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02433
published_at 2026-04-21T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02356
published_at 2026-04-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02359
published_at 2026-04-08T12:55:00Z
5
value 0.00014
scoring_system epss
scoring_elements 0.02381
published_at 2026-04-09T12:55:00Z
6
value 0.00014
scoring_system epss
scoring_elements 0.02358
published_at 2026-04-11T12:55:00Z
7
value 0.00014
scoring_system epss
scoring_elements 0.02345
published_at 2026-04-12T12:55:00Z
8
value 0.00014
scoring_system epss
scoring_elements 0.02344
published_at 2026-04-13T12:55:00Z
9
value 0.00014
scoring_system epss
scoring_elements 0.02329
published_at 2026-04-16T12:55:00Z
10
value 0.00014
scoring_system epss
scoring_elements 0.02335
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33762
2
reference_url https://github.com/go-git/go-git
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/go-git/go-git
3
reference_url https://github.com/go-git/go-git/releases/tag/v5.17.1
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:26Z/
url https://github.com/go-git/go-git/releases/tag/v5.17.1
4
reference_url https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:26Z/
url https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33762
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33762
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584
reference_id 1132584
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2453382
reference_id 2453382
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2453382
Weaknesses
0
cwe_id 129
name Improper Validation of Array Index
description The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
1
cwe_id 1284
name Improper Validation of Specified Quantity in Input
description The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Exploits
Severity_range_score0.1 - 3
Exploitability0.5
Weighted_severity2.7
Risk_score1.4
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-62r9-cvp9-tfbg