Multiple vulnerabilities in the go-git library include a critical path traversal flaw (CVE-2023-49569, CVSS 9.8) via the ChrootOS implementation allowing remote code execution, and high-severity issues enabling denial of service or argument injection via crafted server responses and git-upload-pack interactions. Affected versions are go-git from 4.0.0 to before 5.11.0 for CVE-2023-49568 and CVE-2023-49569, and versions before 5.13.0 for CVE-2025-21614. Users must upgrade to go-git 5.11.0 or 5.13.0 as specified per CVE to remediate these issues.
Ionut Lalu discovered that go-git incorrectly handled certain specially crafted Git server responses. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-49568, CVE-2025-21614) Ionut Lalu discovered that go-git incorrectly handled file system paths when using the ChrootOS implementation. A remote attacker could possibly use this issue to perform a path traversal and create or modify arbitrary files, leading to remote code execution. (CVE-2023-49569) It was discovered that go-git did not properly sanitize arguments when invoking git-upload-pack using the file transport protocol. An attacker could possibly use this issue to inject arbitrary flag values when interacting with local Git repositories. (CVE-2025-21613) It was discovered that go-git did not properly verify integrity checks for pack and index files. An attacker could possibly use this issue to cause go-git to process corrupted repository data, resulting in unexpected errors or an incorrect repository state. (CVE-2026-25934)