Primary

Context

go-git Argument Injection Vulnerability Allowing Arbitrary git-upload-pack Flag Modification

Vulnerability

Patched

An argument injection vulnerability has been identified in go-git, a Git implementation library written in Go, affecting versions 4.0.0 prior to 5.13.0. The vulnerability arises when the file transport protocol is used, as this is the only protocol that interacts with Git binaries. Exploitation could allow an attacker to inject arbitrary values into git-upload-pack flags.

Impact

Exploitation could lead to unauthorized modification of git-upload-pack flags, potentially allowing for manipulation of Git operations or behavior.

Remediation

Users are advised to upgrade to go-git version 5.13.0. If an immediate upgrade is not possible, it is recommended to implement strict validation rules for values in the URL field.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

4.7

remediation

7.9

relevance

0.0

threat

0.1

urgency

0.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

4.7

remediation

7.9

relevance

0.0

threat

0.1

urgency

0.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

go-git Argument Injection Vulnerability Allowing Arbitrary git-upload-pack Flag Modification

Vulnerability

Impact

Remediation

Affected Products

go-git

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating