AZL-55060

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55060.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-55060

Upstream

CVE-2025-21613

Published

2025-01-06T17:15:47Z

Modified

2026-04-01T05:18:29.547724Z

Summary

CVE-2025-21613 affecting package packer for versions less than 1.9.5-5

Details

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21613

Affected packages

Azure Linux:3 / packer

Package

Name: packer
Purl: pkg:rpm/azure-linux/packer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.5-5

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55060.json"