Skip to content

fix: upgrade go-git to v5.19.1 to remediate CVE-2026-45571 and CVE-2026-45570#20

Open
plural-copilot[bot] wants to merge 1 commit into
mainfrom
fix/go-git-cve-2026-45571-45570
Open

fix: upgrade go-git to v5.19.1 to remediate CVE-2026-45571 and CVE-2026-45570#20
plural-copilot[bot] wants to merge 1 commit into
mainfrom
fix/go-git-cve-2026-45571-45570

Conversation

@plural-copilot

Copy link
Copy Markdown

Security Fix: go-git v5.19.0 → v5.19.1

Upgrades github.com/go-git/go-git/v5 from v5.19.0 to v5.19.1 to remediate two CVEs affecting the ghcr.io/pluralsh/git-server image used in the Plural console service.


CVE-2026-45571 — Medium (CVSS 5.4)

go-git: Crafted repositories may modify .git directories

A path validation flaw allows crafted repository data to write files outside the checkout target, including into .git directories.

Advisory: GHSA-crhj-59gh-8x96


CVE-2026-45570 — Low

go-git: Improper single-quote escaping in SSH transport

The SSH transport fails to escape single quotes in repository paths, allowing shell injection on SSH servers that evaluate exec commands via a shell.

Advisory: GHSA-m7cr-m3pv-hgrp


Changes

  • go.mod: github.com/go-git/go-git/v5 v5.19.0v5.19.1
  • go.sum: updated via go mod tidy

Note: This fix affects the ghcr.io/pluralsh/git-server image used in the Plural console service.

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt # Upgrade go-git to v5.19.1 to fix CVE-2026-45571 and CVE-2026-45570...
🔗 Run history View run history

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.19.0 ⏵ v5.19.182 +1100 +3100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants