Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in go-billy stems from a lack of depth and cycle detection when resolving symbolic links. The library may follow symlinks without checking for loops or exceeding a recursion limit, leading to infinite recursion, panics, or uncontrolled consumption of system resources. This can be leveraged by supplying crafted repository data, causing denial of service through excessive CPU or memory usage. The vulnerability is aligned with CWE-674 and CWE-835.

Affected Systems

The issue affects the go-billy component of the go-git project. Versions prior to 5.9.0 and the 6.0.0-alpha.1 pre‑release are impacted. Any Go application that imports or depends on go-billy for filesystem abstraction is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not yet have widespread exploitation. The attack vector is inferred to be remote or local, depending on whether the Go application processes input from untrusted sources such as external git repositories. A malicious actor could target the application by supplying a repository containing a symlink loop, triggering the runaway recursion and exhausting resources.

Generated by OpenCVE AI on June 1, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the go-billy library to version 5.9.0 or later (including 6.0.0-alpha.1) as published by go-git.
  • If an immediate upgrade is not feasible, restrict the scope of symlink processing to trusted directories or drop the symlink handling in critical paths to prevent deep recursion.
  • Implement application‑level checks to reject repositories or filesystem structures that contain cyclic or excessively nested symlinks before delegating to go-billy, mitigating the risk until the library fix is applied.

Generated by OpenCVE AI on June 1, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m3xc-h892-ggx6 go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
History

Mon, 01 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-billy
Vendors & Products Go-git
Go-git go-billy

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
Title go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
Weaknesses CWE-674
CWE-835
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Go-git Go-billy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T18:14:04.315Z

Reserved: 2026-05-07T18:04:17.310Z

Link: CVE-2026-44740

cve-icon Vulnrichment

Updated: 2026-06-01T18:14:00.446Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:08.277

Modified: 2026-06-01T18:53:33.870

Link: CVE-2026-44740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T19:45:19Z

Weaknesses