#VU103421 Improper neutralization of argument delimiters in a command in go-git - CVE-2025-21613


Vulnerability identifier: #VU103421

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21613

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
go-git
Universal components / Libraries / Programming Languages & Components

Vendor: go-git

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation when handling URL field in arguments passed to the git-upload-pack command. A remote attacker can trick the victim into passing a specially crafted URL as a flag to the affected command and manipulate arguments for the git-upload-pack command, which can result in information disclosure.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

go-git: 4.0.0 - 5.12.0

External links
https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Security
Anolis OS update for grafana
Multiple vulnerabilities in IBM Instana Observability
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for go-git
SUSE update for grafana
SUSE update for grafana
SUSE update for grafana
SUSE update for brise
Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes 4.4
Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes 4.5