CVE-2026-45571 Overview
CVE-2026-45571 is a path traversal vulnerability [CWE-22] in go-git, an extensible Git implementation library written in pure Go. Versions prior to 5.19.1 and 6.0.0-alpha.4 fail to enforce path validation checks that upstream Git introduced years ago. Crafted repository data can affect files outside the intended checkout target, including the repository's .git directory. An attacker who can convince a user to clone or check out a malicious repository can write files to unintended locations. The maintainers fixed the issue in versions 5.19.1 and 6.0.0-alpha.4.
Critical Impact
Crafted Git repository data can write files outside the checkout directory, including into .git, enabling integrity and availability impact on systems using vulnerable go-git versions.
Affected Products
- go-git versions prior to 5.19.1
- go-git6.0.0-alpha releases prior to 6.0.0-alpha.4
- Go applications and tooling that embed vulnerable go-git releases
Discovery Timeline
- 2026-05-27 - CVE-2026-45571 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45571
Vulnerability Analysis
The vulnerability stems from missing path validation during checkout operations in go-git. Upstream Git enforces checks that reject tree entries containing path components that escape the working directory or target the .git metadata directory. Over time, go-git drifted from these checks and stopped rejecting equivalent malicious entries.
A crafted repository can include tree entries with path components such as .., absolute paths, or names that resolve to .git. When a vulnerable consumer of go-git checks out such a repository, the library writes the entry contents to the attacker-chosen location. Writing into .git allows an attacker to alter hooks, configuration, or refs, which can chain into code execution the next time Git operations run.
The attack requires user interaction, since a victim must clone, fetch, or check out the malicious repository. Confidentiality is not directly impacted, but integrity and availability are affected because attacker-controlled bytes land in files the user did not intend to modify.
Root Cause
The checkout logic in go-git did not validate tree entry path components against the constraints enforced by reference Git. Specifically, the library accepted entries whose normalized paths escaped the checkout root or targeted the .git directory, rather than rejecting them before any write occurred.
Attack Vector
An attacker publishes or serves a malicious Git repository. A victim using a Go application built on a vulnerable go-git version clones or checks out that repository. During checkout, the library writes blob contents to the attacker-specified path. The vector is network-reachable and requires user interaction, consistent with the CVSS vector recorded in NVD.
No verified public proof-of-concept code is referenced in the advisory. Technical details are available in the GitHub Security Advisory GHSA-crhj-59gh-8x96.
Detection Methods for CVE-2026-45571
Indicators of Compromise
- Unexpected modifications to files inside a repository's .git directory, especially config, hooks/, or HEAD after a clone or checkout
- File writes outside the intended checkout directory immediately following a go-git clone, fetch, or checkout operation
- Repository tree entries containing path components such as .., absolute paths, or names that normalize to .git
Detection Strategies
- Inventory Go binaries and services that import github.com/go-git/go-git and compare resolved module versions against 5.19.1 and 6.0.0-alpha.4
- Use software composition analysis (SCA) to flag vulnerable go-git versions in build artifacts and container images
- Audit logs from CI/CD systems and developer endpoints that perform automated cloning of untrusted repositories
Monitoring Recommendations
- Monitor process and file telemetry for write operations targeting paths outside declared workspace directories from processes that embed go-git
- Alert on modifications to .git/hooks/ and .git/config outside of expected developer workflows
- Track Git operations against untrusted remotes from automated systems, including build runners and indexing services
How to Mitigate CVE-2026-45571
Immediate Actions Required
- Upgrade go-git to 5.19.1 or 6.0.0-alpha.4 in all dependent applications and rebuild affected binaries
- Identify services that process untrusted repositories with go-git and prioritize them for patching
- Restrict automated checkout of untrusted repositories until patched versions are deployed
Patch Information
The go-git maintainers fixed the path validation gap in versions 5.19.1 and 6.0.0-alpha.4. Update go.mod to require a fixed release and run go mod tidy followed by a clean rebuild. Refer to the GitHub Security Advisory GHSA-crhj-59gh-8x96 for the full advisory text and commit references.
Workarounds
- Perform go-git checkout operations inside isolated, ephemeral working directories with no sensitive files in parent paths
- Validate repository tree entries before checkout and reject paths containing .., absolute components, or .git segments
- Run repository processing in sandboxed containers with minimal filesystem permissions to limit the blast radius of an out-of-bounds write
# Update go-git to a fixed release
go get github.com/go-git/go-git/v5@v5.19.1
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
