go-git Path Validation Vulnerability Allowing Unintended .git Directory Modifications

A path validation vulnerability has been identified in the go-git library, which is a Git implementation written in Go. This issue affects versions of go-git prior to 5.19.1 and 6.0.0-alpha.4. The vulnerability allows crafted repository data to interfere with files outside the designated checkout area, including the repository's .git directory. This problem arises from go-git's deviation from upstream Git's validation checks, which had been established years earlier. Exploitation of this vulnerability requires a maliciously crafted repository payload, and some attack vectors are specific to certain platforms: Windows, macOS, or across all supported platforms.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of the repository's .git directory, potentially allowing for manipulation of Git metadata and history. In repositories with submodules, similar dotgit directory manipulations could occur within the worktree context.

Remediation

Users should upgrade to go-git versions 5.19.1 or 6.0.0-alpha.4. For versions prior to 5, users are recommended to upgrade to a supported go-git version.