GHSA-v725-9546-7q7m

Source

https://github.com/advisories/GHSA-v725-9546-7q7m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-v725-9546-7q7m/GHSA-v725-9546-7q7m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v725-9546-7q7m

Aliases

Related

Published

2025-01-06T16:16:30Z

Modified

2025-01-07T16:27:03.246475Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear CVSS Calculator

Summary

go-git has an Argument Injection via the URL field

Details

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

Database specific

{
    "nvd_published_at": "2025-01-06T17:15:47Z",
    "cwe_ids": [
        "CWE-88"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-06T16:16:30Z"
}

References

Affected packages

Go / gopkg.in/src-d/go-git.v4

Package

Name: gopkg.in/src-d/go-git.v4; View open source insights on deps.dev
Purl: pkg:golang/gopkg.in/src-d/go-git.v4

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Last affected

4.13.1

Go / github.com/go-git/go-git/v5

Package

Name: github.com/go-git/go-git/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-git/go-git/v5

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.13.0