Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (5)
Vulnerability Summary Aliases
VCID-6smu-rrju-z7ca Maliciously crafted Git server replies can cause DoS on go-git clients ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. Applications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. ### References - [GHSA-mw99-9chc-xw7r](https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r) CVE-2023-49568
GHSA-mw99-9chc-xw7r
VCID-c5e4-td2w-37by go-git clients vulnerable to DoS via maliciously crafted Git server replies ### Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. CVE-2025-21614
GHSA-r9px-m959-cxf4
VCID-j8jp-r751-sbf8 go-git has an Argument Injection via the URL field ### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries. ### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. ## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us. CVE-2025-21613
GHSA-v725-9546-7q7m
VCID-kqrm-h42a-13ce go-git improperly verifies data integrity values for .idx and .pack files ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project. CVE-2026-25934
GHSA-37cx-329c-33x3
VCID-rka6-epua-h7gz Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients ### Impact A path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the [ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS), which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using [BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers. ## Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. CVE-2023-49569
GHSA-449p-3h89-pw88

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T22:43:17.926760+00:00 Debian Importer Fixing VCID-kqrm-h42a-13ce https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-03T07:25:42.557458+00:00 Debian Importer Fixing VCID-kqrm-h42a-13ce https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:25:42.510841+00:00 Debian Importer Fixing VCID-c5e4-td2w-37by https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:25:42.467746+00:00 Debian Importer Fixing VCID-j8jp-r751-sbf8 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:25:42.425090+00:00 Debian Importer Fixing VCID-rka6-epua-h7gz https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:25:42.379306+00:00 Debian Importer Fixing VCID-6smu-rrju-z7ca https://security-tracker.debian.org/tracker/data/json 38.1.0