CVE-2023-49569 Overview
A critical path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem, potentially leading to remote code execution in worst-case scenarios. The issue specifically affects applications using the ChrootOS filesystem abstraction, which is the default when using "Plain" versions of Open and Clone functions such as PlainClone. Applications using BoundOS or in-memory filesystems are not affected.
This is a go-git implementation issue and does not affect the upstream git CLI.
Critical Impact
Attackers can traverse outside the intended directory structure to create, modify, or overwrite arbitrary files on the filesystem, potentially achieving remote code execution on affected systems.
Affected Products
- go-git versions prior to v5.11
- Applications using ChrootOS (default for PlainClone and PlainOpen functions)
- Go applications integrating go-git with default filesystem configurations
Discovery Timeline
- 2024-01-12 - CVE CVE-2023-49569 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-49569
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the go-git library's filesystem handling implementation. The vulnerability allows unauthenticated remote attackers to escape the intended working directory and manipulate files anywhere on the accessible filesystem. The flaw enables complete compromise of confidentiality, integrity, and availability on vulnerable systems.
When processing git operations, the affected ChrootOS implementation fails to properly sanitize file paths containing directory traversal sequences (such as ../). This allows malicious repositories or crafted git operations to write files outside the intended repository directory. In the worst-case scenario, an attacker could overwrite critical system files or inject malicious executables, leading to remote code execution.
Root Cause
The root cause lies in insufficient path validation within the ChrootOS filesystem abstraction layer in go-git. When handling file paths during git operations (clone, checkout, etc.), the implementation does not adequately prevent directory traversal sequences from escaping the chroot boundary. This allows path components like ../ to navigate outside the intended repository root directory.
The BoundOS implementation properly validates and restricts paths, which is why applications using that abstraction are not affected.
Attack Vector
The attack can be executed remotely over the network without authentication or user interaction. An attacker could craft a malicious git repository containing files with path traversal sequences in their names or paths. When a vulnerable application clones or processes this repository using the default ChrootOS filesystem:
- The attacker creates a malicious repository with specially crafted file paths containing traversal sequences
- A victim application clones or fetches from this repository using PlainClone or similar functions
- The go-git library processes the malicious paths without proper sanitization
- Files are written outside the intended repository directory to attacker-controlled locations
- If the attacker can write to executable paths or configuration files, remote code execution is achieved
The vulnerability affects any network-accessible git operations where the application processes untrusted repositories or repository content.
Detection Methods for CVE-2023-49569
Indicators of Compromise
- Unexpected files appearing outside designated repository directories on systems running go-git applications
- Modified system files or configurations that correspond with git clone or fetch operations
- Suspicious file creation activity in parent directories relative to repository roots
- Log entries showing file operations with path traversal patterns (../) in git-related processes
Detection Strategies
- Monitor file system activity for write operations containing directory traversal patterns (../, ..\) originating from Go applications
- Audit go-git library versions in your Go module dependencies using go list -m all | grep go-git
- Implement application-level logging to track all file operations during git operations
- Use SentinelOne's runtime protection to detect and alert on suspicious file creation patterns outside expected directories
Monitoring Recommendations
- Enable file integrity monitoring on critical system directories and configuration files
- Configure alerts for any Go application processes writing files outside their designated working directories
- Review dependency manifests (go.mod, go.sum) across your codebase for vulnerable go-git versions
- Monitor network traffic for git clone operations from untrusted or external sources
How to Mitigate CVE-2023-49569
Immediate Actions Required
- Upgrade go-git to version v5.11 or later immediately
- Audit all applications in your environment for go-git dependency usage
- Consider switching affected applications to use BoundOS instead of ChrootOS as an interim measure
- Restrict network access for applications that process untrusted git repositories until patched
Patch Information
The vulnerability has been addressed in go-git version v5.11 and later. Organizations should update their Go module dependencies to the patched version. For detailed patch information and security guidance, refer to the GitHub Security Advisory GHSA-449p-3h89-pw88.
To update go-git in your project:
go get github.com/go-git/go-git/v5@v5.11.0
go mod tidy
Workarounds
- Replace ChrootOS with BoundOS filesystem abstraction in your application code, which properly validates paths
- Use in-memory filesystems for git operations when disk persistence is not required
- Implement application-level path validation before any file operations
- Run affected applications in containerized environments with restricted filesystem access to limit potential damage
# Check your current go-git version in go.mod
grep "go-git/go-git" go.mod
# Update to the patched version
go get github.com/go-git/go-git/v5@latest
# Verify the update
go list -m github.com/go-git/go-git/v5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
