Description
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Published: 2026-03-31
Score: 2.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when go‑git decodes Git index files of format version 4 without validating the length of the path name prefix. A maliciously crafted index file can trigger an out‑of‑bounds slice operation during normal parsing, causing a runtime panic that terminates the process. This flaw manifests as an input validation error (CWE‑1284) and an out‑of‑bounds violation (CWE‑129), resulting in a denial of service.

Affected Systems

Any software that incorporates the go‑git library before version 5.17.1 and processes Git index files of format 4 is affected. The vulnerability does not impact earlier supported index formats (v2 and v3). The library’s index‑decoding component must be updated.

Risk and Exploitability

The CVSS score of 2.8 indicates low severity, and the EPSS score of less than 1 % implies exploitation is unlikely at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector involves delivering a crafted Git index file to the application; thus the exposure is limited to environments where an attacker can influence the contents of Git repositories or index files that the application processes. The vulnerability results only in a process crash and does not grant code execution, but the potential for downtime warrants remediation.

Generated by OpenCVE AI on April 3, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade go‑git to version 5.17.1 or newer.
  • If an upgrade is not possible, validate or sanitize Git index files for format 4 before passing them to the library.

Generated by OpenCVE AI on April 3, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gm2x-2g9h-ccm8 go-git missing validation decoding Index v4 files leads to panic
History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-git Project
Go-git Project go-git
CPEs cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
Vendors & Products Go-git Project
Go-git Project go-git

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-git
Vendors & Products Go-git
Go-git go-git

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Title go-git: Missing validation decoding Index v4 files leads to panic
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 2.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Go-git Go-git
Go-git Project Go-git
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:08.221Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33762

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:27.235Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:15.597

Modified: 2026-04-02T16:49:29.700

Link: CVE-2026-33762

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-31T13:47:42Z

Links: CVE-2026-33762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:30Z

Weaknesses