The popular Go library for Git interaction, go-git, has recently released version 5.13 to address two critical security vulnerabilities that could leave your repositories exposed. Developers are strongly urged to update their dependencies immediately.
CVE-2025-21613: Argument Injection Opens Door to Unauthorized Access
The first vulnerability, tracked as CVE-2025-21613 and assigned a CVSS score of 9.8 (Critical), allows attackers to inject arbitrary arguments into git-upload-pack flags. This vulnerability specifically impacts users of the file transport protocol, which relies on shelling out to git binaries. By manipulating the URL field, malicious actors could gain unauthorized access to your repositories.
CVE-2025-21614: Malicious Servers Can Trigger Denial of Service
The second vulnerability, CVE-2025-21614 (CVSS score 7.5), enables denial-of-service (DoS) attacks against go-git clients. Attackers can craft malicious responses from a Git server, leading to resource exhaustion and disrupting client operations. This vulnerability highlights the importance of interacting with trusted Git servers.
Upgrade to go-git v5.13 for Comprehensive Protection
The go-git team has addressed both vulnerabilities in version 5.13. Upgrading to this latest version is the most effective way to secure your Git interactions and prevent potential exploits.
Workarounds for Legacy Systems
If immediate upgrades are not feasible, go-git recommends the following workarounds:
- For CVE-2025-21613: Enforce strict validation rules for values passed in the URL field to prevent malicious argument injection.
- For CVE-2025-21614: Limit go-git usage to trusted Git servers to mitigate the risk of DoS attacks.
Related Posts:
- Git Remote Code Execution Vulnerability
- CVE-2024-51741 and CVE-2024-46981: Redis Flaws Expose Millions to DoS and RCE Risks
- CVE-2024-43096 and More: Critical RCE Flaws Patched in Android Security Update
