CVE-2026-45571

Name of the Vulnerable Software and Affected Versions go-git versions prior to v5

Description A path validation issue allows crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. This occurs because the software drifted from validation checks implemented in upstream Git. Some attack vectors are platform-specific, affecting only Windows or macOS users, while others apply across all supported platforms. Isolation may be provided if non-descendant go-billy filesystem instances or different filesystem types are used for the Storer and Worktree, such as using memfs for the .git directory and osfs for the worktree. However, this isolation may not apply to repositories containing submodules, as submodule dotgit directories may still be materialized within the worktree context.

Recommendations Upgrade to a supported go-git version v5 or later.