Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.
An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
AnalysisAI
Denial-of-service vulnerability in go-git v5 and earlier versions allows local attackers with write access to the repository to craft a malicious Git index file (format version 4) that triggers an out-of-bounds slice operation during parsing, causing application panic and process termination. The vulnerability requires local disk write access to the .git directory and user interaction (file opening), making it a low-severity but exploitable DoS vector for applications that do not gracefully handle panics. Patch versions v5.17.1 and v6 are available.
Technical ContextAI
go-git is a pure Go implementation of the Git version control system that includes an index file parser supporting Git index format versions 2, 3, and 4. The vulnerability exists in the format version 4 decoder, which processes delta-compressed path names using a prefix-length encoding scheme. The decoder fails to validate that the decoded prefix length is within the bounds of the previously decoded path name before performing a slice operation on that path. This triggers Go's runtime bounds check, resulting in a panic rather than silent data corruption. The root cause is an insufficient input validation error (CWE-129: Improper Validation of Array Index) in the index parsing logic. The affected CPE is pkg:go/github.com_go-git_go-git_v5, indicating Go module imports of the go-git library at version 5 and earlier minor versions.
RemediationAI
Users should upgrade go-git to version v5.17.1 or later, or migrate to the latest v6 pseudo-version. In Go projects using go.mod, run go get -u github.com/go-git/go-git/v5@v5.17.1 or go get github.com/go-git/go-git/v6@latest. No known workarounds exist to mitigate the vulnerability short of upgrading, though applications may implement panic recovery mechanisms (defer/recover) to prevent process termination when parsing untrusted Git repositories. Detailed remediation guidance is available in the official advisory at https://github.com/advisories/GHSA-gm2x-2g9h-ccm8.
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17443
GHSA-gm2x-2g9h-ccm8