Skip to content

fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security]#5784

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-github.com-go-git-go-git-v5-vulnerability
Open

fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security]#5784
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-github.com-go-git-go-git-v5-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/go-git/go-git/v5 v5.18.0v5.19.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

CVE-2026-45022 / GHSA-389r-gv7p-r3rp

More information

Details

Impact

go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.

Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.

This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the go-git project. 🙇 🥇

Thanks to @​wayphinder for reporting this to the go-git project. 🙇

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


go-git: Improper single-quote escaping in go-git SSH transport

CVE-2026-45570 / GHSA-m7cr-m3pv-hgrp

More information

Details

Impact

go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.

A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.

The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.

Patches

Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.

Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @​N0zoM1z0 for reporting this to the go-git project. 🙇

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


go-git: Crafted repositories may modify main and submodule .git directories

CVE-2026-45571 / GHSA-crhj-59gh-8x96

More information

Details

Impact

A path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory.

These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms.

Using non-descendant go-billy filesystem instances, or different filesystem types, for the Storer and Worktree may provide some isolation against .git directory manipulation. For example, users that store the .git directory through memfs while using osfs for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem.

However, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context.

It is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credits

Thanks to @​kodareef5, @​AyushParkara and @​N0zoM1z0 for reporting this to the go-git project in three separate reports. 🙇

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


go-git: Malformed Git object data may cause panics or resource exhaustion

GHSA-w5pp-99ch-qj29

More information

Details

Impact

Several denial-of-service issues were identified in go-git when parsing maliciously crafted Git repository data.

An attacker may craft a malicious .pack, .idx or loose objects that causes an application using an affected version of go-git to panic or consume excessive resources.

This can lead to denial of service in applications that use go-git to clone, fetch, open, or otherwise process untrusted repositories or Git object data.

Exploitation requires the ability to alter read-only files such as .pack or .idx from the local repository's .git/objects/pack/ directory. Alternatively, the user would need to be interacting with a malicious remote server, which is not recommended and exposes users to a broader class of security risks beyond this issue.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credits

go-git thanks @​kodareef5, @​AyushParkara and @​N0zoM1z0 for reporting this in four separate reports. 🙇

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.19.1

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

v5.19.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.18.0...v5.19.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label May 11, 2026
@renovate renovate Bot requested a review from a team as a code owner May 11, 2026 17:40
@renovate

renovate Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 9 additional dependencies were updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.8.0 -> v5.9.0
golang.org/x/mod v0.33.0 -> v0.35.0
golang.org/x/text v0.35.0 -> v0.36.0
github.com/pjbgf/sha1cd v0.3.2 -> v0.6.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 -> v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0

@github-actions

Copy link
Copy Markdown
Contributor

/it-go

@renovate renovate Bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from a8a0dbf to 0d0492f Compare May 12, 2026 12:29
@github-actions

Copy link
Copy Markdown
Contributor

/it-go

@renovate renovate Bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.19.0 [security] fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] May 19, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 0d0492f to 4e3fb26 Compare May 19, 2026 17:30
@github-actions

Copy link
Copy Markdown
Contributor

/it-go

@renovate renovate Bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 4e3fb26 to 17a2db5 Compare May 28, 2026 21:09
@renovate renovate Bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] - autoclosed Jun 2, 2026
@renovate renovate Bot closed this Jun 2, 2026
@renovate renovate Bot deleted the renovate/go-github.com-go-git-go-git-v5-vulnerability branch June 2, 2026 07:50
@renovate renovate Bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] - autoclosed fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] Jun 2, 2026
@renovate renovate Bot reopened this Jun 2, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from 17a2db5 to be500e7 Compare June 2, 2026 10:34
@renovate renovate Bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] - autoclosed Jun 23, 2026
@renovate renovate Bot closed this Jun 23, 2026
@renovate renovate Bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] - autoclosed fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] Jun 23, 2026
@renovate renovate Bot reopened this Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from be500e7 to 2e8a006 Compare June 23, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants