Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/25856?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25856?format=api", "vulnerability_id": "VCID-c5e4-td2w-37by", "summary": "go-git clients vulnerable to DoS via maliciously crafted Git server replies\n### Impact\nA denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. \n\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.", "aliases": [ { "alias": "CVE-2025-21614" }, { "alias": "GHSA-r9px-m959-cxf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/923952?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.13.2-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.13.2-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/923951?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/994828?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/923949?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1067540?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/69134?format=api", "purl": "pkg:golang/github.com/go-git/go-git/v5@5.13.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.13.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994827?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3" }, { "url": "http://public2.vulnerablecode.io/api/packages/923948?format=api", "purl": "pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62r9-cvp9-tfbg" }, { "vulnerability": "VCID-6smu-rrju-z7ca" }, { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" }, { "vulnerability": "VCID-kqrm-h42a-13ce" }, { "vulnerability": "VCID-m4t6-vddc-3bfw" }, { "vulnerability": "VCID-rka6-epua-h7gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/91556?format=api", "purl": "pkg:rpm/redhat/grafana@9.2.10-21?arch=el9_4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-21%3Farch=el9_4" }, { "url": "http://public2.vulnerablecode.io/api/packages/91557?format=api", "purl": "pkg:rpm/redhat/grafana@9.2.10-21?arch=el8_10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c5e4-td2w-37by" }, { "vulnerability": "VCID-j8jp-r751-sbf8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-21%3Farch=el8_10" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21614", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44694", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44754", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44761", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44684", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44569", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.4464", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44654", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44592", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44621", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44879", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44819", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44871", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44873", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.4489", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44858", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.4486", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44913", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44906", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44841", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.4561", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21614" }, { "reference_url": "https://github.com/go-git/go-git", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/go-git/go-git" }, { "reference_url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:34:38Z/" } ], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21614", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21614" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092679", "reference_id": "1092679", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092679" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335901", "reference_id": "2335901", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335901" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0401", "reference_id": "RHSA-2025:0401", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0401" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0444", "reference_id": "RHSA-2025:0444", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0444" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0445", "reference_id": "RHSA-2025:0445", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0445" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0654", "reference_id": "RHSA-2025:0654", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0654" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0662", "reference_id": "RHSA-2025:0662", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0662" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0907", "reference_id": "RHSA-2025:0907", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0907" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1119", "reference_id": "RHSA-2025:1119", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1119" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1704", "reference_id": "RHSA-2025:1704", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1704" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1869", "reference_id": "RHSA-2025:1869", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1869" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1870", "reference_id": "RHSA-2025:1870", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1870" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1888", "reference_id": "RHSA-2025:1888", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1888" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3069", "reference_id": "RHSA-2025:3069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3069" }, { "reference_url": "https://usn.ubuntu.com/8088-1/", "reference_id": "USN-8088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8088-1/" } ], "weaknesses": [ { "cwe_id": 20, "name": "Improper Input Validation", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." }, { "cwe_id": 400, "name": "Uncontrolled Resource Consumption", "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." }, { "cwe_id": 770, "name": "Allocation of Resources Without Limits or Throttling", "description": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5e4-td2w-37by" }