VYPR
← All advisories
Medium severity5.4GHSA Advisory· Published May 19, 2026· Updated May 19, 2026

go-git: Crafted repositories may modify main and submodule .git directories

CVE-2026-45571

Description

Impact

A path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory.

These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms.

Using non-descendant go-billy filesystem instances, or different filesystem types, for the Storer and Worktree may provide some isolation against .git directory manipulation. For example, users that store the .git directory through memfs while using osfs for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem.

However, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context.

It is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credits

Thanks to @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this to the go-git project in three separate reports. 🙇

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path validation flaw in go-git lets crafted repos write files outside the checkout target, including the .git directory, affecting versions prior to v5.

Vulnerability

A path validation issue exists in go-git, a pure-Go Git implementation [1]. The flaw allows crafted repository data to bypass checks that were introduced in upstream Git years ago, leading to filesystem writes outside the intended checkout target, including the repository's .git directory. Versions prior to v5 are likely affected [2][3]. Some attack vectors are platform-specific: certain payloads affect only Windows users, others only macOS users, and some apply across all supported platforms [2][3].

Exploitation

Exploitation requires a maliciously crafted repository payload [2][3]. An attacker must convince the victim to clone or interact with a repository they control (e.g., from an untrusted Git server). No additional authentication is needed beyond normal clone or checkout operations. The vulnerability is triggered when go-git processes path traversal sequences or specially crafted filenames during checkout. Using non-descendant go-billy filesystem instances or different filesystem types for the Storer and Worktree may provide some isolation, but this does not apply when submodules are present — submodule .git directories may still be materialized in the worktree context [2][3].

Impact

Successful exploitation allows an attacker to write files outside the intended checkout directory, including into the repository's own .git directory [2][3]. This can lead to arbitrary file modification, potentially enabling subsequent code execution (e.g., by altering Git hooks in .git/hooks/). The impact is limited to the scope of the application's filesystem permissions, and no privilege escalation beyond the user running go-git is implied. The vulnerability affects confidentiality, integrity, and availability depending on the attacker's goals.

Mitigation

Users should upgrade to a patched version of go-git [2][3]. Versions prior to v5 are likely affected; upgrading to a supported go-git version (v5 or later) is recommended. No specific patch version or release date for v5 is given in the references. As a partial workaround, using non-descendant go-billy filesystem instances for Storer and Worktree (e.g., memfs for .git storage and osfs for worktree) may reduce risk, but this does not protect against submodule-based attacks [2][3]. Users should also exercise caution when interacting with repositories from untrusted sources [2][3].

References
  1. GitHub - go-git/go-git: A highly extensible Git implementation in pure Go.
  2. CVE-2026-45571 - GitHub Advisory Database
  3. Crafted repositories may modify main and submodule .git directories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Go Git/Go GitGHSA2 versions
    <= 44.7.0+ 1 more
    • (no CPE)range: <= 44.7.0
    • (no CPE)range: <5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.