Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12NzI1LTk1NDYtN3E3bc4ABC-k

go-git has an Argument Injection via the URL field

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

Permalink: https://github.com/advisories/GHSA-v725-9546-7q7m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NzI1LTk1NDYtN3E3bc4ABC-k
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 17 days ago
Updated: 17 days ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00043
EPSS Percentile: 0.11049

Identifiers: GHSA-v725-9546-7q7m, CVE-2025-21613
References:

• https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
• https://nvd.nist.gov/vuln/detail/CVE-2025-21613
• https://github.com/advisories/GHSA-v725-9546-7q7m

Repository: https://github.com/go-git/go-git
Blast Radius: 40.5

Affected Packages