The vulnerability is in go‑git, a Go library that implements Git. Prior to version 5.19.1 and 6.0.0‑alpha.4 the library builds a remote exec command for SSH transport by wrapping the repository path in single quotes, but it fails to escape any single quotes that occur inside the path. An attacker who can provide a path containing a single quote can break out of the quoted region and inject additional shell tokens. Because the exec command runs on the remote host, this can lead to arbitrary command execution on that host, potentially compromising confidentiality, integrity, or availability of the remote system. The weakness is a classic example of an improper string handling flaw (CWE‑116).

Affected products are the go‑git library under the go‑git:go‑git namespace. Versions older than 5.19.1 for the stable 5.x branch and older than 6.0.0‑alpha.4 for the 6.x pre‑release branch are vulnerable. Applications that embed these versions, especially those that clone or fetch from arbitrary repositories over SSH, must address this issue.

The CVSS base score is 2.3, indicating a low overall risk. The EPSS score is not available and the vulnerability is not listed in CISA KEV, so there is no public evidence of exploitation. The risk is linked to the attacker’s ability to supply a malicious repository path when using the SSH transport. If the tool is run with elevated privileges or on untrusted servers, an injected command could run with those privileges. Therefore, while the likelihood of a widespread exploit is low, the potential impact if exploited can be severe.