Description
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Published: 2026-03-31
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

Version 5.0.0 through 5.17.0 of the go‑git library contains a flaw where a specially crafted .idx file can trigger asymmetric memory consumption that may deplete system memory and cause the process to terminate. The weakness involves improper handling of integer arithmetic (CWE‑191) and unchecked allocation size limits (CWE‑770). When the memory limit is exhausted, the application cannot serve requests and becomes unavailable.

Affected Systems

The flaw applies to all releases of go‑git from 5.0.0 up to, but not including, 5.17.1. Any environment that uses this library and has write access to a local .git directory is potentially vulnerable, as the attacker can create or modify .idx files in the repository.

Risk and Exploitability

The CVSS score of 5.0 indicates a moderate impact, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need local write access to the repository’s .git directory; no network‑side or remote exploitation path is known. Given these constraints, the risk is moderate but the probability of successful exploitation remains low.

Generated by OpenCVE AI on April 2, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to go‑git version 5.17.1 or a later release

Generated by OpenCVE AI on April 2, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jhf3-xxhw-2wpp go-git: Maliciously crafted idx file can cause asymmetric memory consumption
History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-git Project
Go-git Project go-git
CPEs cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
Vendors & Products Go-git Project
Go-git Project go-git

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-git
Vendors & Products Go-git
Go-git go-git

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Title go-git: Maliciously crafted idx file can cause asymmetric memory consumption
Weaknesses CWE-191
CWE-770
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Go-git Go-git
Go-git Project Go-git
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:10:17.724Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34165

cve-icon Vulnrichment

Updated: 2026-04-02T15:10:13.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:17.343

Modified: 2026-04-02T16:49:16.047

Link: CVE-2026-34165

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T13:46:37Z

Links: CVE-2026-34165 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:31Z

Weaknesses