go-git: Malformed Git object data may cause panics or resource exhaustion

Description

Impact

Several denial-of-service issues were identified in go-git when parsing maliciously crafted Git repository data.

An attacker may craft a malicious .pack, .idx or loose objects that causes an application using an affected version of go-git to panic or consume excessive resources.

This can lead to denial of service in applications that use go-git to clone, fetch, open, or otherwise process untrusted repositories or Git object data.

Exploitation requires the ability to alter read-only files such as .pack or .idx from the local repository's .git/objects/pack/ directory. Alternatively, the user would need to be interacting with a malicious remote server, which is not recommended and exposes users to a broader class of security risks beyond this issue.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credits

go-git thanks @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this in four separate reports. 🙇

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-29 19:43:27 UTC
Updated
2026-05-29 19:43:29 UTC
GitHub reviewed
2026-05-29 19:43:27 UTC

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type Value
GHSA GHSA-w5pp-99ch-qj29 ↗

CWEs

CWE id Name
CWE-400 Uncontrolled Resource Consumption

Credits

  • hiddeco (remediation_developer)
  • N0zoM1z0 (reporter)
  • AyushParkara (reporter)
  • kodareef5 (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/go-git/go-git/v5 <= 5.19.0 5.19.1
go github.com/go-git/go-git/v6 <= 6.0.0-alpha.3 6.0.0-alpha.4

References

cvelogic Threat Intelligence