Headline
GHSA-r9px-m959-cxf4: go-git clients vulnerable to DoS via maliciously crafted Git server replies
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
This is a go-git implementation issue and does not affect the upstream git cli.
Patches
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.
Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-21614
go-git clients vulnerable to DoS via maliciously crafted Git server replies
High severity GitHub Reviewed Published Jan 5, 2025 in go-git/go-git • Updated Jan 6, 2025
Package
gomod github.com/go-git/go-git (Go)
Affected versions
>= 4.0.0, <= 4.13.1
gomod github.com/go-git/go-git/v5 (Go)
gomod gopkg.in/src-d/go-git.v4 (Go)
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
This is a go-git implementation issue and does not affect the upstream git cli.
Patches
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.
Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
References
- GHSA-r9px-m959-cxf4
Published to the GitHub Advisory Database
Jan 6, 2025