go-git, a Go implementation of Git, may inadvertently expose HTTP authentication credentials when it follows redirects during smart‑HTTP clone and fetch operations. The vulnerability allows end‑to‑end authentication details to be leaked to an unintended host, enabling an attacker to capture or reuse those credentials for unauthorized access to the remote repository. This issue falls under CWE‑522, Credential Exposure Through Missing Permissions, and also involves CWE‑601, Redirection to Untrusted Site.

The affected component is the go‑git library, version 5.x before 5.18.0 and version 6.0.0‑alpha.2 before that release. Applications that embed go‑git and perform Git operations over HTTP or HTTPS that automatically follow redirects are impacted. Any project or service that imports go‑git to clone or fetch repositories is potentially vulnerable if the underlying library version is not up to date.

The CVSS score of 4.7 indicates a moderate severity. The EPSS score is 0.00057, indicating a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability relates to CWE‑522 and CWE‑601. The likely attack vector involves an attacker controlling a redirect chain during a clone or fetch operation; the attacker would need influence over the initial repository URL or the server issuing the redirect. Exploitation would require network access to the client performing the Git operation. Although exploitation is not trivial and would typically require a targeted scenario, credential leakage poses significant risk in environments where sensitive credentials are transmitted over HTTP. The risk level is moderate, but organizations should still treat it as a priority to mitigate potential credential compromise.