High severityNVD Advisory· Published Jan 6, 2025· Updated Aug 26, 2025
go-git clients vulnerable to DoS via maliciously crafted Git server replies
CVE-2025-21614
Description
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gopkg.in/src-d/go-git.v4Go | >= 4.0.0, <= 4.13.1 | — |
github.com/go-git/go-git/v5Go | < 5.13.0 | 5.13.0 |
github.com/go-git/go-gitGo | >= 4.0.0, <= 4.13.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-r9px-m959-cxf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-21614ghsaADVISORY
- github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.