GHSA-CRHJ-59GH-8X96
Vulnerability from github – Published: 2026-05-19 15:38 – Updated: 2026-05-19 15:38Impact
A path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory.
These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms.
Using non-descendant go-billy filesystem instances, or different filesystem types, for the Storer and Worktree may provide some isolation against .git directory manipulation. For example, users that store the .git directory through memfs while using osfs for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem.
However, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context.
It is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.
Credits
Thanks to @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this to the go-git project in three separate reports. 🙇
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.19.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.19.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0-alpha.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0-alpha.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "44.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45571"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T15:38:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository\u0027s `.git` directory.\n\nThese validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms.\n\nUsing non-descendant `go-billy` filesystem instances, or different filesystem types, for the `Storer` and `Worktree` may provide some isolation against `.git` directory manipulation. For example, users that store the `.git` directory through `memfs` while using `osfs` for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem.\n\nHowever, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context.\n\nIt is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust.\n\n### Patches\nUsers should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to `v5` are likely to be affected, users are recommended to upgrade to a supported go-git version.\n\n### Credits\nThanks to @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this to the go-git project in three separate reports. \ud83d\ude47",
"id": "GHSA-crhj-59gh-8x96",
"modified": "2026-05-19T15:38:39Z",
"published": "2026-05-19T15:38:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-git/go-git"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "go-git: Crafted repositories may modify main and submodule .git directories"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.