PT-2025-1014 · Go-Git+9 · Go-Git+9
Vin01
·
Published
2025-01-06
·
Updated
2026-03-12
·
CVE-2025-21613
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
go-git versions prior to v5.13
Description
An argument injection vulnerability was discovered in go-git. The successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Recommendations
For go-git versions prior to v5.13, upgrade to version 5.13.0 to mitigate this vulnerability.
As a temporary workaround, consider enforcing strict validation rules for values passed in the URL field.
Restrict access to the file transport protocol to minimize the risk of exploitation.
Avoid using the
file transport protocol until the issue is resolved.Exploit
Fix
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Go-Git