PatchSiren cyber security CVE debrief
CVE-2026-44973 go-git CVE debrief
CVE-2026-44973 documents multiple path traversal vulnerabilities in go-billy, a Go filesystem abstraction library maintained by the go-git project. The vulnerability stems from insufficient path sanitization and boundary enforcement across different components of the library, allowing crafted paths using directory traversal sequences (e.g., ..) to escape intended base directories. While go-billy was not originally designed as a strong security boundary, inconsistent implementation across built-in filesystem backends created scenarios where applications relying on the library for isolation could inadvertently expose unintended filesystem locations. The CVSS 3.1 score of 8.1 (High) reflects network attack vector, low attack complexity, low privileges required, and high impact to confidentiality and integrity. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). A fix is available in version 5.9.0.
- Vendor
- go-git
- Product
- go-billy
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using go-billy in Go applications, particularly those exposing filesystem operations through network services, containerized applications using go-billy for layered filesystem access, developers building multi-tenant or sandboxed environments relying on go-billy for isolation boundaries, and security teams auditing Go supply chain dependencies for path traversal risks
Technical summary
The go-billy library provides filesystem abstraction interfaces for Go applications. Versions prior to 5.9.0 contain path traversal vulnerabilities where insufficient sanitization of user-supplied paths allows escape from intended base directories. The vulnerability manifests inconsistently across built-in implementations (such as OsFs, MemMapFs, and others), meaning some filesystem backends were more susceptible than others. Applications using go-billy to provide sandboxed or isolated filesystem access—particularly those handling untrusted path inputs—are at risk of unintended file disclosure or modification outside intended boundaries. The fix in 5.9.0 addresses these inconsistencies and strengthens path validation across all implementations.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade go-billy to version 5.9.0 or later to address path traversal vulnerabilities
- Review application code for reliance on go-billy as a security boundary and implement additional path validation if isolation is required
- Audit filesystem access patterns in applications using go-billy to identify potential exposure of sensitive directories
- Consider implementing defense-in-depth with additional chroot or container-level filesystem restrictions for untrusted path handling
- Monitor GitHub Security Advisory GHSA-qw64-3x98-g7q2 for any additional guidance or follow-up disclosures
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-qw64-3x98-g7q2. NVD entry shows vulnStatus 'Received' indicating initial processing. CVSS vector confirms network-accessible attack with high confidentiality and integrity impact. No known exploitation in the wild or KEV listing at time of disclosure.
Official resources
-
CVE-2026-44973 CVE record
CVE.org
-
CVE-2026-44973 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28