Headline
GHSA-v725-9546-7q7m: go-git has an Argument Injection via the URL field
Impact
An argument injection vulnerability was discovered in go-git versions prior to v5.13.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Affected versions
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-21613
go-git has an Argument Injection via the URL field
Low severity GitHub Reviewed Published Jan 5, 2025 in go-git/go-git • Updated Jan 6, 2025
Package
gomod github.com/go-git/go-git (Go)
Affected versions
>= 4.0.0, <= 4.13.1
gomod github.com/go-git/go-git/v5 (Go)
gomod gopkg.in/src-d/go-git.v4 (Go)
Impact
An argument injection vulnerability was discovered in go-git versions prior to v5.13.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Affected versions
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
References
- GHSA-v725-9546-7q7m
Published to the GitHub Advisory Database
Jan 6, 2025