CVE-2025-21613

Published Jan 6, 2025

Last updated a month ago

CVSS critical 9.2

Overview

Description
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.2
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-88
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-88

Social media

Hype score
Not currently trending

  1. Secure Your Repos: go-git Patches Critical Vulnerability - CVE-2025-21613 (CVSS 9.8) Protect your Git repositories from security vulnerabilities. Learn about the critical flaws (CVE-2025-21613 & CVE-2025-21614) addressed in go-git v5.13 https://t.co/Bv6bw7Y3Qt

    @the_yellow_fall

    8 Jan 2025

    279 Impressions

    2 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. CVE-2025-21613 Argument Injection Vulnerability in go-git Versions Below 5.13.0 go-git is a flexible library for git, made in Go. Versions before v5.13 have an argument injection vulnerability. If exploited, it l... https://t.co/SIZ2apovgd

    @VulmonFeeds

    6 Jan 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-21613: CRITICAL] Critical vulnerability found in go-git < v5.13! An injection flaw allows attackers to manipulate git-upload-pack flags. Patch your version to 5.13.0 to stay secure.#cybersecurity,#vulnerability https://t.co/26wrkI75ik https://t.co/5Zkm6fsaSg

    @CveFindCom

    6 Jan 2025

    54 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References