Login Sign Up

CVE-2026-25934

4.3 MEDIUM

📋 TL;DR

A data integrity vulnerability in go-git versions before 5.16.5 fails to properly verify checksums for .pack and .idx files, potentially allowing corrupted Git repository data to be processed. This affects applications using vulnerable go-git library versions to interact with Git repositories. The vulnerability could lead to repository corruption or unexpected errors during Git operations.

💻 Affected Systems

Products:
  • go-git library
Versions: All versions before 5.16.5
Operating Systems: All platforms running Go applications using go-git
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using go-git library to fetch or process Git repositories is affected. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

Go Git by Go Git Project

View all CVEs affecting Go Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious Git servers could serve corrupted packfiles that bypass integrity checks, potentially causing repository corruption, data loss, or denial of service in applications relying on go-git.

🟠

Likely Case

Accidental corruption during network transfers or storage issues could lead to repository corruption, causing 'object not found' errors and disrupting Git operations.

🟢

If Mitigated

With proper controls like network segmentation and trusted Git sources, impact is limited to potential data corruption from non-malicious sources.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires control over Git server or ability to corrupt packfiles in transit. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.16.5

Vendor Advisory: https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3

Restart Required: Yes

Instructions:

1. Update go.mod to require go-git v5.16.5 or later. 2. Run 'go get github.com/go-git/go-git/v5@v5.16.5'. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.

🔧 Temporary Workarounds

Use git CLI instead of go-git

all

Temporarily replace go-git library calls with system git CLI commands

Implement external integrity verification

all

Add custom checksum verification for downloaded packfiles before processing

🧯 If You Can't Patch

  • Restrict Git operations to trusted internal repositories only
  • Implement network controls to prevent connections to untrusted Git servers

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for go-git dependency version below 5.16.5

Check Version:

grep 'github.com/go-git/go-git' go.mod

Verify Fix Applied:

Verify go.mod requires go-git v5.16.5 or later and rebuild application

📡 Detection & Monitoring

Log Indicators:

  • Unexpected 'object not found' errors
  • Repository corruption errors
  • Checksum validation failures

Network Indicators:

  • Unusual Git server connections
  • Large packfile downloads from untrusted sources

SIEM Query:

source="application.logs" AND ("object not found" OR "packfile" OR "checksum")

📊 Metadata

CVE ID: CVE-2026-25934
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-354
EPSS Score: 0.01% exploit probability (0.2th percentile)
Published: February 9, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25934, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)
CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)
CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)