GHSA-m7cr-m3pv-hgrp

Suggest an improvement
Source
https://github.com/advisories/GHSA-m7cr-m3pv-hgrp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m7cr-m3pv-hgrp/GHSA-m7cr-m3pv-hgrp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m7cr-m3pv-hgrp
Aliases
  • CVE-2026-45570
Downstream
Related
Published
2026-05-19T15:21:01Z
Modified
2026-05-20T14:14:16.065757398Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L CVSS Calculator
Summary
go-git: Improper single-quote escaping in go-git SSH transport
Details

Impact

go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.

A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.

The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.

Patches

Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.

Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @N0zoM1z0 for reporting this to the go-git project. :bow:

Database specific 
{
    "github_reviewed_at": "2026-05-19T15:21:01Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116"
    ],
    "nvd_published_at": null,
    "severity": "LOW"
}
References

Affected packages

Go / github.com/go-git/go-git/v5

Package

Name
github.com/go-git/go-git/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.1

Database specific

last_known_affected_version_range 
"<= 5.19.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m7cr-m3pv-hgrp/GHSA-m7cr-m3pv-hgrp.json"

Go / github.com/go-git/go-git/v6

Package

Name
github.com/go-git/go-git/v6
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git/v6

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0-alpha.4

Database specific

last_known_affected_version_range 
"<= 6.0.0-alpha.3"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m7cr-m3pv-hgrp/GHSA-m7cr-m3pv-hgrp.json"

Go / github.com/go-git/go-git

Package

Name
github.com/go-git/go-git
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-git/go-git

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
4.7.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m7cr-m3pv-hgrp/GHSA-m7cr-m3pv-hgrp.json"