CVE-2026-45571

MEDIUM

go-git: Crafted repositories may modify main and submodule .git directories

Title source: cna

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96

Scores

CVSS v3 5.4

EPSS 0.0030

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (7)

go-git/go-git 0 - 44.7.0Go

go-git/go-git 0 - 5.19.1Go

go-git/go-git 0 - 6.0.0-alpha.4Go

go-git/go-git < 5.19.1

go-git/go-git >= 6.0.0-alpha.1, < 6.0.0-alpha.4

go-git_project/go-git 6.0.0 alpha1 (3 CPE variants)

go-git_project/go-git < 5.19.1

Published May 27, 2026

Tracked Since May 27, 2026