go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.
An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
| Score | Percentile |
|---|---|
| 0.01% | 2.35% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-gm2x-2g9h-ccm8 ↗ |
| CVE | CVE-2026-33762 ↗ |
| CWE id | Name |
|---|---|
| CWE-129 | Improper Validation of Array Index |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/go-git/go-git/v5 | <= 5.17.0 | 5.17.1 | — |