go-git: Crafted repositories may modify main and submodule .git directories

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Basic Information

ID CVE-2026-45571

Source GitHub_M

Published May 27, 2026 at 14:57

Modified May 27, 2026 at 16:03

Affected Product

Vendor go-git

Product go-git

Version < 5.19.1

Affected Versions go-git go-git < 5.19.1
go-git go-git >= 6.0.0-alpha.1, < 6.0.0-alpha.4

CWE Classification

CWE-22

References

github.com /go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96

{
    "lastseen": "",
    "description": "go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.",
    "published": "2026-05-27T14:57:32.843Z",
    "modified": "2026-05-27T16:03:30.942Z",
    "type": "cve",
    "title": "go-git: Crafted repositories may modify main and submodule .git directories",
    "source": "GitHub_M",
    "references": "https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96",
    "id": "CVE-2026-45571",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "go-git go-git < 5.19.1\ngo-git go-git >= 6.0.0-alpha.1, < 6.0.0-alpha.4",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "go-git",
    "version": "< 5.19.1",
    "vendor": "go-git",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

go-git: Crafted repositories may modify main and submodule .git directories_CVE-2026-45571