Incorrect Behavior Order: Validate Before Canonicalize in go-git - #VU130475
Published: May 7, 2026
Vulnerability identifier: #VU130475
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-180
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: go-git
Affected software:
go-git
go-git
Detailed vulnerability description
The vulnerability allows a remote user to cause inconsistent interpretation of Git object metadata and accept a signature over data that is not byte-for-byte equivalent to the stored object.
The vulnerability exists due to validate-before-canonicalize behavior in commit and tag object parsing and signature verification logic when processing specially crafted malformed Git objects with ambiguous headers. A remote user can supply a specially crafted commit or tag object to cause inconsistent interpretation of Git object metadata and accept a signature over data that is not byte-for-byte equivalent to the stored object.
Remediation
Install security update from vendor's website.