Name of the Vulnerable Software and Affected Versions:

go-git versions prior to v5.11

Description:

A path traversal vulnerability was discovered in go-git, allowing an attacker to create and amend files across the filesystem. In the worst-case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone functions. Applications using BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

Recommendations:

For versions prior to v5.11, upgrade to v5.11 to mitigate this vulnerability.

As a temporary workaround, consider limiting the use of go-git to only trustworthy Git servers.

Restrict access to the ChrootOS to minimize the risk of exploitation.

Avoid using the "Plain" versions of Open and Clone functions until the issue is resolved.