Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1yOXB4LW05NTktY3hmNM4ABC-l

go-git clients vulnerable to DoS via maliciously crafted Git server replies

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Permalink: https://github.com/advisories/GHSA-r9px-m959-cxf4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOXB4LW05NTktY3hmNM4ABC-l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 days ago
Updated: 2 days ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00043
EPSS Percentile: 0.11049

Identifiers: GHSA-r9px-m959-cxf4, CVE-2025-21614
References:

• https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4
• https://nvd.nist.gov/vuln/detail/CVE-2025-21614
• https://github.com/advisories/GHSA-r9px-m959-cxf4

Repository: https://github.com/go-git/go-git
Blast Radius: 31.0

Affected Packages