A path validation issue in the pure Go git library permits crafted repository data to write files outside the intended checkout location, including the repository’s own .git directory. This flaw, tagged as CWE-22, means an attacker can supply malicious repository content that, when processed, alters configuration files or metadata inside the .git control structures, potentially altering repository behavior or facilitating further compromise.

The vulnerability affects the go-git implementation library. All users of go-git with a version earlier than 5.19.1 or 6.0.0-alpha.4 are impacted. Projects that integrate go-git via dependency managers must check their bundled library version. Any application that clones, pulls, or otherwise processes git data through these library versions is susceptible.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires an attacker to supply a crafted repository, which typically means the victim must clone or pull from a malicious source, so the attack vector is local repository manipulation rather than remote network exploitation. Once the repository is processed, it is inferred that the attacker can modify configuration or state files within the .git directory, potentially leading to privilege escalation or further tampering. Given the lack of a publicly known widespread exploit, the immediate threat level is moderate but should not be ignored.