Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/24798?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24798?format=api", "vulnerability_id": "VCID-m4t6-vddc-3bfw", "summary": "go-git: Maliciously crafted idx file can cause asymmetric memory consumption\n### Impact\n\nA vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.\n\nExploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. \n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\nThe go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.", "aliases": [ { "alias": "CVE-2026-34165" }, { "alias": "GHSA-jhf3-xxhw-2wpp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994829?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1067540?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/68030?format=api", "purl": "pkg:golang/github.com/go-git/go-git/v5@5.17.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.17.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994827?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3" }, { "url": "http://public2.vulnerablecode.io/api/packages/923948?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/923951?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/994828?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34165", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02244", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02234", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02252", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02254", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02266", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02284", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02262", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02094", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.0226", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02158", "published_at": "2026-04-04T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00278", "published_at": "2026-04-29T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00285", "published_at": "2026-04-24T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00283", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34165" }, { "reference_url": "https://github.com/go-git/go-git", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/go-git/go-git" }, { "reference_url": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/" } ], "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1" }, { "reference_url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/" } ], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34165", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34165" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584", "reference_id": "1132584", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453379", "reference_id": "2453379", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453379" } ], "weaknesses": [ { "cwe_id": 191, "name": "Integer Underflow (Wrap or Wraparound)", "description": "The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result." }, { "cwe_id": 770, "name": "Allocation of Resources Without Limits or Throttling", "description": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m4t6-vddc-3bfw" }