GHSA-gm2x-2g9h-ccm8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gm2x-2g9h-ccm8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gm2x-2g9h-ccm8/GHSA-gm2x-2g9h-ccm8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gm2x-2g9h-ccm8
- Aliases
-
- CVE-2026-33762
- Related
- Published
- 2026-03-30T17:05:23Z
- Modified
- 2026-03-31T02:29:13.128787Z
- Severity
-
- 2.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- go-git missing validation decoding Index v4 files leads to panic
- Details
-
Impact
go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.This issue only affects Git index format version 4. Earlier formats (
go-gitsupports onlyv2andv3) are not vulnerable to this issue.An attacker able to supply a crafted
.git/indexfile can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the
.gitdirectory.Patches
Users should upgrade to
v5.17.1, or the latestv6pseudo-version, in order to mitigate this vulnerability.Credit
go-git maintainers thank @kq5y for finding and reporting this issue privately to the
go-gitproject. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-129" ], "nvd_published_at": null, "github_reviewed_at": "2026-03-30T17:05:23Z", "severity": "LOW" }- References
Affected packages
Go / github.com/go-git/go-git/v5
Package
- Name
- github.com/go-git/go-git/v5
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/go-git/go-git/v5