Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/21072?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21072?format=api", "vulnerability_id": "VCID-kqrm-h42a-13ce", "summary": "go-git improperly verifies data integrity values for .idx and .pack files\n### Impact \n\nA vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`.\n\nFor context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly.\n\nNote that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.\n\n### Patches\n\nUsers should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Workarounds\n\nIn case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. \n\n### Credit\n\nThanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project.", "aliases": [ { "alias": "CVE-2026-25934" }, { "alias": "GHSA-37cx-329c-33x3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994829?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/923949?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1067540?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/63129?format=api", "purl": "pkg:golang/github.com/go-git/go-git/v5@5.16.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.16.5" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994827?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3" }, { "url": "http://public2.vulnerablecode.io/api/packages/923948?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/923951?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/994828?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25934.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25934.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25934", "reference_id": "", "reference_type": "", "scores": [ { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00347", "published_at": "2026-04-16T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00352", "published_at": "2026-04-13T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00355", "published_at": "2026-04-12T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00371", "published_at": "2026-04-02T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00359", "published_at": "2026-04-09T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00362", "published_at": "2026-04-07T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00375", "published_at": "2026-04-04T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00358", "published_at": "2026-04-11T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00532", "published_at": "2026-05-14T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00506", "published_at": "2026-04-18T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00537", "published_at": "2026-04-21T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00533", "published_at": "2026-04-24T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00535", "published_at": "2026-05-09T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00542", "published_at": "2026-05-05T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0054", "published_at": "2026-05-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00531", "published_at": "2026-05-11T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00529", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25934" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/go-git/go-git", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/go-git/go-git" }, { "reference_url": "https://github.com/go-git/go-git/releases/tag/v5.16.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:23:04Z/" } ], "url": "https://github.com/go-git/go-git/releases/tag/v5.16.5" }, { "reference_url": "https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:23:04Z/" } ], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25934", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25934" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127844", "reference_id": "1127844", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127844" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438332", "reference_id": "2438332", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438332" }, { "reference_url": "https://usn.ubuntu.com/8088-1/", "reference_id": "USN-8088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8088-1/" } ], "weaknesses": [ { "cwe_id": 354, "name": "Improper Validation of Integrity Check Value", "description": "The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kqrm-h42a-13ce" }