CVE-2023-49568 Overview
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git CLI.
Critical Impact
Attackers can exploit this vulnerability to cause resource exhaustion in applications using go-git, leading to denial of service conditions that may impact availability of dependent services and infrastructure.
Affected Products
- go-git versions prior to v5.11
- Applications using go-git with file system operations (non-memory filesystem implementations)
- Go applications integrating go-git library for Git operations
Discovery Timeline
- 2024-01-12 - CVE-2023-49568 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-49568
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation). The go-git library fails to properly validate and limit responses received from Git servers. When a go-git client communicates with a malicious or compromised Git server, the server can send specially crafted responses designed to trigger excessive resource consumption on the client side.
The resource exhaustion occurs because go-git does not implement adequate safeguards to limit the size or complexity of data processed from server responses. This allows an attacker controlling a Git server to cause client applications to consume excessive memory or CPU resources, ultimately leading to service degradation or complete denial of service.
It's important to note that applications using only the in-memory filesystem provided by go-git are not vulnerable to this attack, as the resource exhaustion specifically affects file system operations.
Root Cause
The root cause of this vulnerability lies in improper input validation within the go-git library when processing responses from Git servers. The library does not adequately validate the bounds or structure of server-provided data before processing, allowing malformed or excessively large responses to consume unbounded resources on the client.
Attack Vector
The attack vector for CVE-2023-49568 is network-based. An attacker must control or compromise a Git server that a vulnerable go-git client connects to. The attack scenario typically involves:
- Setting up a malicious Git server or compromising an existing one
- Waiting for or inducing a victim's go-git client to connect to the server
- Sending specially crafted responses that trigger resource exhaustion
- The client application experiences memory or CPU exhaustion, leading to denial of service
This vulnerability does not require authentication or user interaction, making it exploitable against any go-git client that can be directed to communicate with a malicious server.
Detection Methods for CVE-2023-49568
Indicators of Compromise
- Abnormal memory consumption spikes in applications using go-git
- Unusual network traffic patterns to Git servers with large response payloads
- Application crashes or timeouts during Git operations
- Resource exhaustion alerts on systems running go-git dependent applications
Detection Strategies
- Monitor memory and CPU utilization for applications using go-git library
- Implement network monitoring to detect abnormally large Git protocol responses
- Set up application-level logging for Git operations to identify unusual patterns
- Deploy dependency scanning to identify vulnerable go-git versions in your codebase
Monitoring Recommendations
- Configure resource limits and alerts for go-git dependent services
- Implement request/response size monitoring for Git network traffic
- Enable detailed logging for Git client operations in production environments
- Use SentinelOne Singularity Platform to detect unusual resource consumption patterns indicative of DoS attacks
How to Mitigate CVE-2023-49568
Immediate Actions Required
- Upgrade go-git to version v5.11 or later immediately
- Audit all applications and dependencies using go-git library
- Consider implementing resource limits at the application or container level as a temporary safeguard
- Review and restrict which Git servers your applications are permitted to connect to
Patch Information
The go-git project has addressed this vulnerability in version v5.11 and later. Organizations should update their go-git dependency to the patched version as soon as possible. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-mw99-9chc-xw7r.
Workarounds
- Use only the in-memory filesystem implementation of go-git where possible, as this configuration is not affected
- Implement network-level controls to restrict connections to trusted Git servers only
- Deploy resource quotas and limits on containers or processes running go-git applications
- Consider using the upstream git CLI for operations requiring interaction with untrusted servers until patching is complete
# Update go-git dependency to patched version
go get github.com/go-git/go-git/v5@v5.11.0
go mod tidy
# Verify the updated version
go list -m github.com/go-git/go-git/v5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
