CVE-2026-45022

EPSS 0.16%
Veröffentlicht 27.05.2026 15:16:29
Zuletzt bearbeitet 04.06.2026 17:57:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Go-git Project ≫ Go-git SwPlatformgo Version < 5.19.0

Go-git Project ≫ Go-git Version6.0.0 Updatealpha1 SwPlatformgo

Go-git Project ≫ Go-git Version6.0.0 Updatealpha2 SwPlatformgo

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.054

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	7	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-180 Incorrect Behavior Order: Validate Before Canonicalize

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-45022

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45022

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45022

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45022