Skip to main content

go-git EUVDEUVD-2026-32546

| CVE-2026-45570 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-05-19 https://github.com/go-git/go-git GHSA-m7cr-m3pv-hgrp
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 27, 2026 - 19:37 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 19, 2026 - 16:00 vuln.today
Analysis Generated
May 19, 2026 - 16:00 vuln.today

DescriptionGitHub Advisory

Impact

go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.

A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.

The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.

Patches

Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.

Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @N0zoM1z0 for reporting this to the go-git project. :bow:

AnalysisAI

Shell command injection in go-git's SSH transport allows attackers who control repository path values to execute arbitrary shell commands on SSH servers that evaluate exec commands through a login shell. go-git wraps repository paths in single quotes without escaping embedded single-quote characters, diverging from canonical Git's sq_quote_buf behavior. When a go-git client connects to an SSH server whose exec command passes through /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND, an attacker-influenced path containing a single quote can break out of the quoted region and append arbitrary shell tokens. No public exploit identified at time of analysis.

Technical ContextAI

The root cause is CWE-116 (Improper Encoding or Escaping of Output). go-git's SSH transport layer constructs a remote exec string of the form 'git-upload-pack '\''<repo-path>'\''' using naïve single-quote wrapping. Canonical Git implements sq_quote_buf, which replaces every embedded single quote with the four-character sequence '\''\'' (close quote, escaped quote, reopen quote), allowing arbitrary paths to round-trip safely as a single shell token. Affected packages identified via PURL are: pkg:go/github.com/go-git/go-git/v5 (all releases through 5.19.0), pkg:go/github.com/go-git/go-git/v6 (all alpha releases through 6.0.0-alpha.3), and pkg:go/github.com/go-git/go-git (the legacy v4 line, all releases through 4.7.0). The vulnerability lives in the bytes go-git places on the wire; any SSH client could technically send the same payload, but go-git is uniquely at risk because repository paths it operates on can be influenced by untrusted sources.

RemediationAI

The primary remediation for v5 users is to upgrade to go-git v5.19.1, and for v6 pre-release users to upgrade to v6.0.0-alpha.4. Both patched versions port sq_quote_buf from canonical Git so that the SSH transport wire output is byte-identical to what git itself produces, closing the injection path. The v4 legacy line (go-git without a version suffix) has no available patch; users on v4 must migrate to the v5 module. For deployments that cannot immediately upgrade, the most effective compensating control is to ensure that every SSH server accepting go-git connections uses git-shell as the forced command rather than a general login shell or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND - git-shell tokenizes the exec command without shell interpretation and is not vulnerable to this class of injection. Additionally, restrict which repository paths go-git is allowed to operate on so that untrusted input cannot reach the SSH transport layer. Advisory: https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

EUVD-2026-32546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy