CVE-2026-45571 go-git CVE debrief

Who should care

Organizations using applications built with go-git for Git repository operations, particularly those processing repositories from untrusted or external sources. Developers maintaining Go applications with Git integration should prioritize updating dependencies. Security teams should assess exposure in CI/CD pipelines, developer tools, and automated repository processing systems.

Technical summary

The go-git library prior to versions 5.19.1 and 6.0.0-alpha.4 contains a path validation weakness (CWE-22) where maliciously crafted repository data can cause files to be written outside the intended checkout target directory. This includes the ability to affect the repository's own .git directory. The vulnerability exists because go-git did not implement path validation checks that were added to upstream Git in prior years. Successful exploitation requires user interaction (e.g., cloning or checking out a malicious repository) and could result in low integrity and availability impacts to the host system.

Defensive priority

medium

Recommended defensive actions

• Upgrade go-git to version 5.19.1 or 6.0.0-alpha.4 or later
• Review applications using go-git for repository cloning or checkout operations from untrusted sources
• Validate that repository data sources are trusted before processing
• Monitor for anomalous file system activity in .git directories and parent paths of repository checkouts
• Consider implementing additional path traversal protections for applications processing arbitrary Git repositories

Evidence notes

The CVE description and GitHub Security Advisory confirm the path validation bypass affects file write operations during repository checkout, with potential impact to the .git directory. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, with low impacts to integrity and availability.

Official resources