CVE-2025-21613: go-git has an Argument Injection via the URL field

9.2 CVSS

Description

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Classification

CVE ID: CVE-2025-21613

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.2

Affected Products

Vendor: go-git

Product: go-git

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

Timeline

2025-01-07 00:30:51 UTC
CVE

go-git has an Argument Injection via the URL field