github.com/go-git/go-git
Moderate fix1 remedy
cpe:2.3:a:go-git_project:go-git:*:*:*:*:go:*:*
Moderate fix1 remedy
- <= 5.17.0
go-git Out-of-Bounds Slice Operation Vulnerability in Index Decoder Version 4
Vulnerability
Patched
A vulnerability exists in go-git's index decoder for Git index format version 4, prior to version 5.17.1. The decoder fails to properly validate the path name prefix length before applying it to the previously decoded path name. This oversight can be exploited by a maliciously crafted index file, leading to an out-of-bounds slice operation. As a result, a runtime panic occurs during normal index parsing. This vulnerability only affects Git index format version 4; earlier formats, such as versions 2 and 3, are not vulnerable.
Impact
Exploitation of this vulnerability causes a runtime panic, which can lead to process termination and a denial-of-service condition for applications using go-git.
Remediation
Users should upgrade to go-git version 5.17.1 or the latest v6 pseudo-version to address this vulnerability.
Added: Mar 31, 2026, 3:22 PM
Updated: Mar 31, 2026, 3:22 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
2.5exploitability
2.6remediation
7.7relevance
5.0threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.