CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21614 – go-git clients vulnerable to DoS via maliciously crafted Git server replies
https://notcve.org/view.php?id=CVE-2025-21614
06 Jan 2025 — go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Go-git es una librería de imp... • https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21613 – go-git has an Argument Injection via the URL field
https://notcve.org/view.php?id=CVE-2025-21613
06 Jan 2025 — go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. • https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49569 – Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
https://notcve.org/view.php?id=CVE-2023-49569
12 Jan 2024 — A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). • https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49568 – Maliciously crafted Git server replies can cause DoS on go-git clients
https://notcve.org/view.php?id=CVE-2023-49568
12 Jan 2024 — A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. Se descubrió una vulnerabilidad de denegación... • https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •