go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.
A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.
The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.
Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.
Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.
Thanks to @N0zoM1z0 for reporting this to the go-git project. :bow:
| Score | Percentile |
|---|---|
| 0.02% | 3.82% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-m7cr-m3pv-hgrp ↗ |
| CVE | CVE-2026-45570 ↗ |
| CWE id | Name |
|---|---|
| CWE-116 | Improper Encoding or Escaping of Output |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/go-git/go-git/v5 | <= 5.19.0 | 5.19.1 | — |
| go | github.com/go-git/go-git/v6 | <= 6.0.0-alpha.3 | 6.0.0-alpha.4 | — |
| go | github.com/go-git/go-git | <= 4.7.0 | — | — |