Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption.
These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.
Credits
Thanks to @faran66 for finding and reporting this issue privately to the go-git project. 🙇
AnalysisAI
go-billy versions prior to v5.9.0 and v6.0.0-alpha.1 lack proper depth and cycle detection in symlink resolution, allowing authenticated remote attackers to trigger infinite loops, uncontrolled recursion, or excessive resource consumption through crafted or malformed repository data and filesystem structures. The vulnerability stems from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states. CVSS 6.5 (availability impact) reflects the authenticated requirement (PR:L) and network attack vector, with no public exploit currently identified.
Technical ContextAI
go-billy is a Go library providing an abstraction layer for filesystem operations, used by go-git for repository management. The vulnerability resides in symlink resolution components that lack cycle detection and recursion depth limits. When processing untrusted repository data or filesystem structures, the library improperly handles crafted input, leading to infinite loops or uncontrolled recursion. CWE-674 (Uncontrolled Recursion) describes the root cause: missing defensive mechanisms such as depth counters, visited-node tracking for cycle detection, or state validation before recursive calls. The affected CPE entries (go/github.com_go-git_go-billy_v5 and v6) indicate the issue spans both major versions, with v5 prior to 5.9.0 and v6 prior to 6.0.0-alpha.1 being vulnerable.
RemediationAI
Vendor-released patch: Upgrade to go-billy v5.9.0 or later for the v5 series, or v6.0.0-alpha.1 or later for the v6 series. See release notes at https://github.com/go-git/go-billy/releases/tag/v5.9.0 and https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1. The fix implements path.Clean instead of filepath.Clean in iofs.Open, adds ChrootOS evaluation on creation (preventing late-stage symlink traversal), and improves general cycle and depth detection. For v6, users should note that v6.0.0-alpha.1 is pre-release; monitor for a stable v6.0.0 release. As an interim compensating control if upgrading is delayed, restrict go-billy usage to processing only trusted, authenticated Git repositories and implement process-level resource limits (ulimit on Linux, JobObjects on Windows) to cap CPU and memory consumption if infinite loops are triggered. This mitigates availability impact but does not prevent the underlying issue.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33663
GHSA-m3xc-h892-ggx6