GHSA-m3xc-h892-ggx6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m3xc-h892-ggx6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m3xc-h892-ggx6/GHSA-m3xc-h892-ggx6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m3xc-h892-ggx6
- Aliases
-
- CVE-2026-44740
- Downstream
- Related
- Published
- 2026-05-13T15:29:47Z
- Modified
- 2026-05-14T17:44:16.054109838Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
- Details
-
Impact
Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption.
These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to
v5are likely to be affected, users are recommended to upgrade to a supportedgo-billyversion.Credits
Thanks to @faran66 for finding and reporting this issue privately to the go-git project. 🙇
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-674", "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2026-05-13T15:29:47Z", "nvd_published_at": null }- References
Affected packages
Go / github.com/go-git/go-billy/v5
Package
- Name
- github.com/go-git/go-billy/v5
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/go-git/go-billy/v5
Go / github.com/go-git/go-billy/v6
Package
- Name
- github.com/go-git/go-billy/v6
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/go-git/go-billy/v6