GHSA-jhf3-xxhw-2wpp

Suggest an improvement
Source
https://github.com/advisories/GHSA-jhf3-xxhw-2wpp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jhf3-xxhw-2wpp/GHSA-jhf3-xxhw-2wpp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jhf3-xxhw-2wpp
Aliases
Downstream
Related
Published
2026-03-30T17:17:54Z
Modified
2026-04-07T15:26:16.233321413Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
go-git: Maliciously crafted idx file can cause asymmetric memory consumption
Details

Impact

A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.

Database specific 
{
    "nvd_published_at": "2026-03-31T15:16:17Z",
    "cwe_ids": [
        "CWE-191",
        "CWE-770"
    ],
    "github_reviewed_at": "2026-03-30T17:17:54Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/go-git/go-git/v5

Package

Name
github.com/go-git/go-git/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git/v5

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.17.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jhf3-xxhw-2wpp/GHSA-jhf3-xxhw-2wpp.json"
last_known_affected_version_range 
"<= 5.17.0"