Threat Advisory

go-git Vulnerability Exposes Inconsistent Interpretation

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-45022 with a CVSS score of 7.0 is a vulnerability in go-git's parsing of specially crafted Git objects, specifically commit or tag objects with ambiguous or malformed headers, that can cause inconsistent interpretation compared to upstream Git. This issue affects go-git versions prior to v5, allowing an attacker with local access to manipulate the parsed representation of a commit or tag object, and potentially sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. An attacker can exploit this vulnerability by submitting a specially crafted Git object to the go-git library, which can lead to a signature appearing valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This can result in a loss of integrity and potentially confidentiality of the information managed by the system, as an attacker may be able to manipulate the commit history or sign a commit payload with a fake signature. No user interaction is required, and the vulnerability can be exploited remotely.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-45022 with a CVSS score of 7.0 is a vulnerability in go-git's parsing of specially crafted Git objects, specifically commit or tag objects with ambiguous or malformed headers, that can cause inconsistent interpretation compared to upstream Git. This issue affects go-git versions prior to v5, allowing an attacker with local access to manipulate the parsed representation of a commit or tag object, and potentially sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. An attacker can exploit this vulnerability by submitting a specially crafted Git object to the go-git library, which can lead to a signature appearing valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This can result in a loss of integrity and potentially confidentiality of the information managed by the system, as an attacker may be able to manipulate the commit history or sign a commit payload with a fake signature. No user interaction is required, and the vulnerability can be exploited remotely.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update go-git to version 5.19.0 or 6.0.0-alpha.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-389r-gv7p-r3rp

[/emaillocker]
crossmenu