N0Zom1Z0

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to v5 **Description** The SSH transport in go-git constructs the remote exec command by wrapping the repository path in single quotes but fails to escape single quotes embedded within that path. This allows a repository path containing a single quote to break out of the quoted region and append additional shell tokens. On SSH servers that evaluate the exec command through a shell, such as those using `/bin/sh`, `/bin/bash`, or a `ForceCommand` wrapper that re-evaluates `$SSH ORIGINAL COMMAND`, these tokens execute within the account's command-execution context. This issue occurs on the SSH server side, but go-git can act as a vehicle for reaching such servers through attacker-influenced repository paths. **Recommendations** Upgrade to a supported version of go-git (v5 or later).

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to v5 **Description** A path validation issue allows crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. This occurs because the software drifted from validation checks implemented in upstream Git. Some attack vectors are platform-specific, affecting only Windows or macOS users, while others apply across all supported platforms. Isolation may be provided if non-descendant `go-billy` filesystem instances or different filesystem types are used for the `Storer` and `Worktree`, such as using `memfs` for the `.git` directory and `osfs` for the worktree. However, this isolation may not apply to repositories containing submodules, as submodule dotgit directories may still be materialized within the worktree context. **Recommendations** Upgrade to a supported go-git version v5 or later.

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to 5.18.0 go-git versions prior to 6.0.0-alpha.2 **Description** During smart-HTTP clone and fetch operations, the library may leak HTTP authentication credentials when following redirects. If a remote repository responds to the initial '/info/refs' request with a redirect to a different host, the session endpoint is updated to the redirected location and the original authentication, such as Authorization headers, is reused for subsequent requests. This allows an attacker controlling the redirect target to capture credentials and potentially access the victim's repositories or other resources. This issue occurs when interacting with untrusted or misconfigured Git servers or when using unsecured HTTP connections. **Recommendations** Update to version 5.18.0. Update to version 6.0.0-alpha.2.

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to 5.16.5 **Description** go-git is a Git implementation library written in Go. A flaw exists in how go-git handles the integrity verification of `.pack` and `.idx` files. Specifically, data integrity values were not properly verified, potentially allowing the consumption of corrupted files. This could lead to errors such as 'object not found' during operations involving fetched packfiles from Git servers or locally generated pack indexes. Packfiles contain checksums to ensure data integrity during client downloads. The incorrect verification process bypassed these checks. **Recommendations** Update to version 5.16.5 or later.

**Name of the Vulnerable Software and Affected Versions** pypdf versions prior to 6.6.0 **Description** pypdf is a free and open-source pure-python PDF library. Versions prior to 6.6.0 are susceptible to potential long runtimes when processing PDF files missing the /Root object but containing a large /Size value. An attacker can exploit this by creating a specially crafted PDF file that causes extended processing times, particularly in non-strict reading mode. This issue affects invalid files and can lead to a denial-of-service condition. **Recommendations** Versions prior to 6.6.0 should be updated to version 6.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** libvips versions 8.17.1 and earlier **Description** libvips is an image processing library. When compiled with PDF input support via poppler, versions 8.17.1 and below are susceptible to a buffer read overflow during PDF header parsing when processing a crafted PDF file lacking a height definition. Users compiling libvips without PDF input support or utilizing PDFium for PDF input are not affected. The issue is addressed in version 8.17.2. The `pdfload` operation is specifically impacted. **Recommendations** Update to version 8.17.2 or later. Block the `VipsForeignLoadPdf` operation using `vips operation block set`. Set the `VIPS BLOCK UNTRUSTED` environment variable at runtime.

**Name of the Vulnerable Software and Affected Versions** FPDI versions 2.6.2 and below **Description** FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. A malicious PDF file can cause a server-side script to crash due to memory exhaustion, leading to a Denial of Service (DoS). Repeated attacks can lead to sustained service unavailability. **Recommendations** Update to version 2.6.3 or later.