CVE-2026-45570 Overview
CVE-2026-45570 affects go-git, an extensible Git implementation library written in pure Go. The vulnerability exists in the SSH transport layer, which constructs the remote exec command by wrapping the repository path in single quotes without escaping embedded single quotes. A repository path containing a single quote can break out of the quoted region and inject additional shell tokens into the remote exec command. The flaw is categorized under [CWE-116] (Improper Encoding or Escaping of Output) and was fixed in versions 5.19.1 and 6.0.0-alpha.4.
Critical Impact
A crafted repository path can inject shell tokens into the SSH remote exec command, enabling limited integrity and availability impact on the remote scope.
Affected Products
- go-git versions prior to 5.19.1
- go-git 6.x versions prior to 6.0.0-alpha.4
- Applications and tooling embedding the vulnerable go-git SSH transport
Discovery Timeline
- 2026-05-27 - CVE-2026-45570 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45570
Vulnerability Analysis
The go-git library implements Git protocol operations entirely in Go, including SSH-based transport for clone, fetch, and push operations. When initiating an SSH session, the library builds a remote command such as git-upload-pack '<repo-path>' to invoke the corresponding server-side service. The repository path is wrapped in single quotes to preserve shell-special characters, but the wrapping does not sanitize single-quote characters embedded inside the path itself.
A repository path containing an apostrophe terminates the surrounding quoted region prematurely. The remaining characters in the path are then parsed by the remote shell as additional tokens, altering the structure of the executed command. The impact is constrained by the remote shell context and what tokens the attacker can place after the quote breakout.
Root Cause
The root cause is improper output encoding in the SSH transport command builder. The implementation assumed that wrapping a string in single quotes was sufficient to neutralize shell metacharacters. Correct POSIX shell single-quote escaping requires replacing each embedded ' with the sequence '\'', which closes the quoted region, inserts a literal escaped quote, and reopens the quoted region. The absence of this transformation produces the injection primitive.
Attack Vector
Exploitation requires that an application using go-git connect over SSH to a repository whose path is attacker-influenced. This includes scenarios where a user supplies a remote URL, a configuration file references a malicious remote, or a service accepts repository paths from untrusted input. The attacker controls the trailing portion of the exec command but cannot directly read or write data outside the SSH session scope. User interaction is required to trigger the SSH operation against the malicious path.
No verified public proof-of-concept exploit is available. See the GitHub Security Advisory for technical details of the quoting logic and fix.
Detection Methods for CVE-2026-45570
Indicators of Compromise
- SSH session logs on Git hosting infrastructure containing exec commands with unbalanced single quotes or unexpected tokens after the repository path
- Audit entries showing git-upload-pack or git-receive-pack invocations with shell metacharacters appended to the path argument
- Application logs recording remote URLs whose path component contains an apostrophe character
Detection Strategies
- Inventory Go projects and binaries that import github.com/go-git/go-git and identify versions prior to 5.19.1 or 6.0.0-alpha.4 using software composition analysis
- Inspect outbound SSH traffic from CI/CD runners and developer workstations for Git exec commands containing unescaped quote characters in the path argument
- Review SCM webhook payloads and configuration files for repository URLs containing ' in the path component
Monitoring Recommendations
- Enable detailed command logging on SSH-accessible Git servers and alert on exec strings that deviate from the expected git-(upload\|receive)-pack '<path>' shape
- Track dependency manifests (go.mod, go.sum) in source control to identify the introduction or removal of vulnerable go-git versions
- Correlate Git client error events with anomalous remote URL strings supplied by untrusted users
How to Mitigate CVE-2026-45570
Immediate Actions Required
- Upgrade go-git to version 5.19.1 or 6.0.0-alpha.4 and rebuild all dependent binaries
- Validate and reject repository paths containing single-quote characters at application input boundaries until patches are deployed
- Audit CI/CD pipelines and automation tools that perform SSH-based Git operations against user-supplied URLs
Patch Information
The maintainers fixed the issue in go-git5.19.1 and 6.0.0-alpha.4. The patched releases apply correct POSIX shell single-quote escaping to the repository path before constructing the SSH exec command. Refer to the GitHub Security Advisory GHSA-m7cr-m3pv-hgrp for commit-level details.
Workarounds
- Constrain accepted repository URLs to an allowlist of trusted hosts and a strict character set that excludes '
- Prefer the HTTPS transport for go-git operations where SSH is not strictly required, as the issue is specific to the SSH transport
- Wrap go-git SSH calls in a validation layer that rejects any path containing shell metacharacters before invocation
# Example: enforce repository path validation before invoking go-git SSH operations
if [[ "$REPO_PATH" =~ [\'\"\\\;\&\|\$\`] ]]; then
echo "Rejected: repository path contains shell metacharacters" >&2
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
