VulnerableCode Package Details - pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-62r9-cvp9-tfbg	go-git missing validation decoding Index v4 files leads to panic ### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.	CVE-2026-33762 GHSA-gm2x-2g9h-ccm8
VCID-kqrm-h42a-13ce	go-git improperly verifies data integrity values for .idx and .pack files ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project.	CVE-2026-25934 GHSA-37cx-329c-33x3
VCID-m4t6-vddc-3bfw	go-git: Maliciously crafted idx file can cause asymmetric memory consumption ### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.	CVE-2026-34165 GHSA-jhf3-xxhw-2wpp

Vulnerability

Summary

Aliases

VCID-62r9-cvp9-tfbg

go-git missing validation decoding Index v4 files leads to panic ### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.

CVE-2026-33762
GHSA-gm2x-2g9h-ccm8

VCID-kqrm-h42a-13ce

go-git improperly verifies data integrity values for .idx and .pack files ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project.

CVE-2026-25934
GHSA-37cx-329c-33x3

VCID-m4t6-vddc-3bfw

go-git: Maliciously crafted idx file can cause asymmetric memory consumption ### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.

CVE-2026-34165
GHSA-jhf3-xxhw-2wpp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-19T06:13:38.946366+00:00	Debian Importer	Fixing	VCID-62r9-cvp9-tfbg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T06:02:49.206774+00:00	Debian Importer	Fixing	VCID-m4t6-vddc-3bfw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:08:47.208132+00:00	Debian Importer	Fixing	VCID-kqrm-h42a-13ce	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-11T18:07:28.396042+00:00	Debian Importer	Fixing	VCID-kqrm-h42a-13ce	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-04T17:57:23.344009+00:00	Debian Importer	Fixing	VCID-kqrm-h42a-13ce	https://security-tracker.debian.org/tracker/data/json	38.1.0