SB2026051911 - Multiple vulnerabilities in go-git

Description

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Git object parsing when processing maliciously crafted Git repository data. A remote attacker can supply crafted .pack, .idx, or loose object data to cause a denial of service.

User interaction is required, such as interacting with a malicious remote server.

2) Path traversal (CVE-ID: CVE-2026-45571)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to modify files in the repository .git directory and submodule .git directories.

The vulnerability exists due to path traversal in path validation logic when processing a maliciously crafted repository payload during checkout. A remote attacker can supply a crafted repository to modify files in the repository .git directory and submodule .git directories.

User interaction is required to interact with a maliciously crafted repository payload. Some attack vectors are platform-specific and may affect only Windows users, only macOS users, or all supported platforms.

3) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-45570)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute commands in the SSH server account context.

The vulnerability exists due to improper encoding or escaping of output in the SSH transport remote exec command construction when processing a repository path containing a single quote. A remote attacker can supply a crafted repository path to execute commands in the SSH server account context.

Exploitation requires an SSH server configuration that evaluates the exec command through a shell; canonical git-shell setups that tokenize the exec command without shell evaluation are not affected.

Remediation

Install update from vendor's website.

References

• https://github.com/go-git/go-git/security/advisories/GHSA-w5pp-99ch-qj29
• https://github.com/advisories/GHSA-w5pp-99ch-qj29
• https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96
• https://github.com/advisories/GHSA-crhj-59gh-8x96
• https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp
• https://github.com/advisories/GHSA-m7cr-m3pv-hgrp