CVE-2026-25934
- Source
- https://cve.org/CVERecord?id=CVE-2026-25934
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25934.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25934
- Aliases
- Downstream
- Related
- Published
- 2026-02-09T22:13:41.974Z
- Modified
- 2026-02-12T02:37:20.927978Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- go-git improperly verifies data integrity values for .idx and .pack files
- Details
-
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
- Database specific
{ "cwe_ids": [ "CWE-354" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25934.json" }- References
Affected packages
Git / github.com/go-git/go-git
Affected ranges
- Type
- GIT
- Repo
- https://github.com/go-git/go-git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed