PatchSiren

go-git CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM go-git CVE published 2026-06-01

CVE-2026-44740

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of [truncated]

HIGH go-git CVE published 2026-05-28

CVE-2026-44973

CVE-2026-44973 documents multiple path traversal vulnerabilities in go-billy, a Go filesystem abstraction library maintained by the go-git project. The vulnerability stems from insufficient path sanitization and boundary enforcement across different components of the library, allowing crafted paths using directory traversal sequences (e.g., ..) to escape intended base directories. While go-billy was not o [truncated]

MEDIUM go-git CVE published 2026-05-27

CVE-2026-45571

A path validation vulnerability in go-git, a pure Go Git implementation library, could allow crafted repository data to write files outside the intended checkout directory, including the repository's .git directory. The issue stems from go-git lacking validations that upstream Git introduced years ago. Affected versions are prior to 5.19.1 and 6.0.0-alpha.4; fixed versions are 5.19.1 and 6.0.0-alpha.4. Th [truncated]

LOW go-git CVE published 2026-05-27

CVE-2026-45570

go-git is a pure Go implementation of Git operations used by many applications for programmatic repository interaction. This CVE documents a command injection vulnerability in the library's SSH transport layer where repository paths containing single quotes are not properly escaped when constructing remote exec commands. The vulnerability allows path contents to break out of quoted regions and append addi [truncated]

HIGH go-git CVE published 2026-05-27

CVE-2026-45022

go-git is a pure Go implementation of Git used by many tools and services for programmatic repository operations. This vulnerability affects versions prior to 5.19.0 and 6.0.0-alpha.3, where malformed Git objects may be parsed differently than upstream Git would handle them. When commit or tag objects contain ambiguous or malformed headers, go-git's internal representation can expose values that diverge f [truncated]