CVE-2025-21613
Published: 06 January 2025
Description
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Security Summary
CVE-2025-21613 is an argument injection vulnerability (CWE-88) in go-git, a highly extensible Git implementation library written in pure Go. The flaw affects versions prior to v5.13 and occurs only when the file transport protocol is used, as this is the sole protocol that shells out to Git binaries, enabling the injection.
A remote network attacker requires no privileges, authentication, or user interaction and faces low attack complexity, per the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows the attacker to set arbitrary values to git-upload-pack flags, resulting in high impacts to confidentiality, integrity, and availability.
The vulnerability is addressed in go-git v5.13.0. Additional details are available in the GitHub security advisory at https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m.
Details
- CWE(s)