go-git Improper Single-Quote Escaping in SSH Transport Vulnerability

A vulnerability exists in go-git's SSH transport in versions prior to 5.19.1 and 6.0.0-alpha.4. The issue arises because the SSH transport constructs the remote exec command by wrapping the repository path in single quotes, but fails to properly escape single quotes embedded within the path. This flaw allows a repository path containing a single quote to break out of the quoted region and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell, these extra tokens could execute in the context of the user's command execution environment. The vulnerability has been addressed in go-git versions 5.19.1 and 6.0.0-alpha.4.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the SSH server, in the context of the user account associated with the SSH session.

Remediation

Users should upgrade to go-git version 5.19.1 or 6.0.0-alpha.4. For versions prior to v5, users are recommended to upgrade to a supported go-git version.