Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-c5e4-td2w-37by
|
go-git clients vulnerable to DoS via maliciously crafted Git server replies
### Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.
### Patches
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.
## Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
|
CVE-2025-21614
GHSA-r9px-m959-cxf4
|
|
VCID-j8jp-r751-sbf8
|
go-git has an Argument Injection via the URL field
### Impact
An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.
### Affected versions
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.
### Workarounds
In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
## Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
|
CVE-2025-21613
GHSA-v725-9546-7q7m
|