CVE-2025-21614 Overview
A denial of service (DoS) vulnerability was discovered in go-git, a highly extensible git implementation library written in pure Go. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to cause resource exhaustion in applications using the go-git library, potentially rendering services unavailable.
Affected Products
- go-git versions prior to v5.13
- go-git versions from v4 and above
- Applications and services built using vulnerable go-git library versions
Discovery Timeline
- 2025-01-06 - CVE CVE-2025-21614 published to NVD
- 2025-09-30 - Last updated in NVD database
Technical Details for CVE-2025-21614
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a type of resource exhaustion vulnerability. The flaw exists in how go-git processes responses from Git servers. When a malicious Git server sends specially crafted responses, the go-git client fails to properly limit resource consumption during processing. This can lead to excessive memory allocation, CPU usage, or other resource exhaustion conditions that render the client application unresponsive.
The vulnerability is exploitable over the network without requiring any authentication or user interaction, making it particularly concerning for applications that connect to untrusted Git servers.
Root Cause
The root cause of this vulnerability is improper resource management in the go-git library when handling server responses. The library does not implement adequate bounds checking or resource limits when processing data received from Git servers. This allows a malicious server to send responses designed to consume excessive system resources on the client side, leading to denial of service conditions.
Attack Vector
An attacker can exploit this vulnerability by setting up a malicious Git server or by performing a man-in-the-middle attack on legitimate Git connections. When a vulnerable go-git client connects to the attacker-controlled server and attempts operations like clone, fetch, or pull, the server responds with specially crafted data designed to trigger resource exhaustion. The attack requires network access to the victim but does not require authentication or user interaction beyond initiating a Git operation.
The vulnerability manifests when processing malformed or excessively large server responses. For detailed technical information about the exploitation mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2025-21614
Indicators of Compromise
- Unusual memory consumption spikes in applications using go-git library
- Application crashes or hangs during Git operations (clone, fetch, pull)
- Network connections to suspicious or unknown Git server endpoints
- Log entries indicating failed or abnormally long Git operations
Detection Strategies
- Monitor application resource usage for anomalies during Git operations
- Implement alerting on memory usage thresholds for services using go-git
- Review application dependencies to identify vulnerable go-git versions using go list -m all | grep go-git
- Deploy network monitoring to detect connections to untrusted Git servers
Monitoring Recommendations
- Enable resource monitoring and alerting for all services using go-git
- Implement connection timeouts and resource limits at the application level
- Log and audit all Git server connections, especially to external endpoints
- Use dependency scanning tools to track go-git versions across your codebase
How to Mitigate CVE-2025-21614
Immediate Actions Required
- Upgrade go-git library to version v5.13 or later immediately
- Audit all applications and services that depend on go-git
- Review and restrict network access to trusted Git servers only
- Implement resource limits and timeouts for Git operations where possible
Patch Information
The go-git maintainers have released version v5.13 which addresses this vulnerability. Users should update their go.mod file to require at minimum v5.13 of the go-git library. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-r9px-m959-cxf4.
Workarounds
- Restrict application connectivity to only trusted, known Git servers
- Implement network-level controls to prevent connections to untrusted Git endpoints
- Apply resource limits (memory, CPU) at the container or process level to limit blast radius
- Consider temporary removal of external Git connectivity until patching is complete
# Update go-git dependency to patched version
go get github.com/go-git/go-git/v5@v5.13.0
go mod tidy
# Verify the updated version
go list -m github.com/go-git/go-git/v5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
