GHSA-389r-gv7p-r3rp

Source

https://github.com/advisories/GHSA-389r-gv7p-r3rp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-389r-gv7p-r3rp/GHSA-389r-gv7p-r3rp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-389r-gv7p-r3rp

Aliases

CVE-2026-45022

Related

CGA-8x53-pqv6-wqhw

Published

2026-05-11T14:48:12Z

Modified

2026-05-12T04:44:33.110411208Z

Severity

7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator

Summary

go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

Details

Impact

go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.

Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.

This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @wlynch, @patzielinski and @adityasaky for coordinating the disclosure with the go-git project. :bow: :1stplacemedal:

Thanks to @wayphinder for reporting this to the go-git project. :bow:

Database specific

{
    "cwe_ids": [
        "CWE-180",
        "CWE-345"
    ],
    "github_reviewed_at": "2026-05-11T14:48:12Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Go / github.com/go-git/go-git/v6

Package

Name: github.com/go-git/go-git/v6; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-git/go-git/v6

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0-alpha.1

Fixed

6.0.0-alpha.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-389r-gv7p-r3rp/GHSA-389r-gv7p-r3rp.json"

last_known_affected_version_range

"<= 6.0.0-alpha.2"

Go / github.com/go-git/go-git/v5

Package

Name: github.com/go-git/go-git/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-git/go-git/v5

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-389r-gv7p-r3rp/GHSA-389r-gv7p-r3rp.json"