go-git HTTP Authentication Credential Leak Vulnerability via Cross-Host Redirects

A vulnerability in the go-git library, affecting versions through 5.17.2 and 6.0.0-alpha.1, may lead to the unintentional leakage of HTTP authentication credentials. This occurs when the library follows redirects during smart-HTTP clone and fetch operations, potentially sending credentials to an unintended host. The issue arises when interacting with untrusted or misconfigured Git servers over unsecured HTTP connections. Clients using go-git with trusted remotes like GitHub or GitLab over secure HTTPS are not affected.

Impact

Exploitation of this vulnerability can result in the unauthorized interception of HTTP authentication credentials, such as Authorization headers, during smart-HTTP Git operations. If an attacker controls the redirect target, these credentials could be captured and reused to access the victim's repositories or resources, depending on the credential's scope.

Remediation

Users should upgrade to go-git version 5.18.0 or 6.0.0-alpha.2. The patched versions include support for configuring the followRedirects policy, with the default set to 'initial'. Users can programmatically opt into 'FollowRedirects' or 'NoFollowRedirects'.