Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.
Published: 2026-05-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

go‑git parses commit or tag objects that contain ambiguous or malformed headers differently than upstream Git, which can produce a decoded representation that does not match the actual bytes stored in a repository. Because the library’s signing and verification routines operate on that decoded data, a commit may be signed or verified successfully even though its true content differs from what a standard Git client would accept or reject. This flaw can make a forged or altered commit appear to have a valid signature, potentially undermining the integrity guarantees expected of signed artifacts.

Affected Systems

Any application that links against go‑git older than version 5.19.0 or 6.0.0‑alpha.3 is susceptible. The vulnerability is tied to the library itself and affects all projects that rely on it to parse, sign, or verify Git objects, including custom Git‑based tooling, CI/CD systems, and any services that fetch or manipulate repositories using this library.

Risk and Exploitability

The CVSS base score of 7 indicates high severity. The EPSS score is not available, so the probability of exploitation is unknown, but the flaw is technical and not trivial to trigger. There is no public KEV listing, indicating that no widespread exploit material is currently known. Attackers would need to supply or inject a malicious commit or tag object that contains malformed headers; in a scenario where the application automatically processes such objects—such as during repository fetches or automated pull requests—the signature verification could be bypassed, allowing an attacker to introduce tampered code into downstream builds or deployments without detection.

Generated by OpenCVE AI on May 27, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the go‑git library to version 5.19.0 or later (or 6.0.0‑alpha.3 and newer) to eliminate the parsing discrepancy and corrected signing logic.
  • Validate any Git objects against an upstream Git parser before accepting or signing them, ensuring that the raw byte content matches the reconstructed representation.
  • If an upgrade is not immediately possible, restrict the use of go‑git to read‑only operations or disable commit signing on objects that have not been validated, and audit incoming repositories for unexpected header patterns.

Generated by OpenCVE AI on May 27, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-389r-gv7p-r3rp go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
History

Thu, 04 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-git Project
Go-git Project go-git
CPEs cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
cpe:2.3:a:go-git_project:go-git:6.0.0:alpha1:*:*:*:go:*:*
cpe:2.3:a:go-git_project:go-git:6.0.0:alpha2:*:*:*:go:*:*
Vendors & Products Go-git Project
Go-git Project go-git
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-git
Vendors & Products Go-git
Go-git go-git

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.
Title go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
Weaknesses CWE-180
CWE-345
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Go-git Go-git
Go-git Project Go-git
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:43:32.693Z

Reserved: 2026-05-08T16:58:28.896Z

Link: CVE-2026-45022

cve-icon Vulnrichment

Updated: 2026-05-27T15:42:55.982Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:29.980

Modified: 2026-06-04T17:57:46.580

Link: CVE-2026-45022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:05Z

Weaknesses
  • CWE-180

    Incorrect Behavior Order: Validate Before Canonicalize

  • CWE-345

    Insufficient Verification of Data Authenticity