GHSA-crhj-59gh-8x96

Suggest an improvement
Source
https://github.com/advisories/GHSA-crhj-59gh-8x96
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-crhj-59gh-8x96/GHSA-crhj-59gh-8x96.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-crhj-59gh-8x96
Aliases
Downstream
Related
Published
2026-05-19T15:38:39Z
Modified
2026-05-20T14:14:06.745156258Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
go-git: Crafted repositories may modify main and submodule .git directories
Details

Impact

A path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory.

These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms.

Using non-descendant go-billy filesystem instances, or different filesystem types, for the Storer and Worktree may provide some isolation against .git directory manipulation. For example, users that store the .git directory through memfs while using osfs for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem.

However, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context.

It is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credits

Thanks to @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this to the go-git project in three separate reports. 🙇

Database specific 
{
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-19T15:38:39Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true
}
References

Affected packages

Go / github.com/go-git/go-git/v5

Package

Name
github.com/go-git/go-git/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-crhj-59gh-8x96/GHSA-crhj-59gh-8x96.json"
last_known_affected_version_range 
"<= 5.19.0"

Go / github.com/go-git/go-git/v6

Package

Name
github.com/go-git/go-git/v6
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git/v6

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0-alpha.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-crhj-59gh-8x96/GHSA-crhj-59gh-8x96.json"
last_known_affected_version_range 
"<= 6.0.0-alpha.3"

Go / github.com/go-git/go-git

Package

Name
github.com/go-git/go-git
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
44.7.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-crhj-59gh-8x96/GHSA-crhj-59gh-8x96.json"