CVE-2026-45022

Name of the Vulnerable Software and Affected Versions go-git versions prior to v5

Description go-git may parse malformed Git objects differently than upstream Git. When commit or tag objects contain ambiguous or malformed headers, the decoded representation in go-git may expose values that differ from how Git interprets or rejects the same object. Furthermore, commit signing and verification logic operates on commit data reconstructed from the parsed representation instead of the original raw object bytes. This can lead to go-git signing or verifying a commit payload that is not byte-for-byte equivalent to the object stored in the repository, potentially making a signature appear valid for a commit with metadata that differs from the intended signed object.

Recommendations Upgrade to a supported version of go-git (v5 or later).