Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY]#2732
Merged
Conversation
## Summary <!-- What changed and why. Link to issue if applicable. --> ## Example(s) affected <!-- List the example directory name(s) this PR touches, e.g., aws-ts-s3-folder --> ## Validation <!-- Commands you ran and their output. Copy-paste, don't paraphrase. --> - [ ] Python formatting: `make check_python_formatting` (if Python files changed) - [ ] TypeScript lint: `npx eslint <files>` (if TS files changed) - [ ] Integration test: `make test_example.TestAcc<Name>` (if example code changed) - [ ] PR preview: `make pr_preview` (for bulk changes) ## Checklist - [ ] Example directory follows `<cloud>-<lang>-<name>` naming convention - [ ] `Pulumi.yaml` has correct `runtime:` field - [ ] `README.md` follows the [example template](../example-readme-template.md.txt) - [ ] No hardcoded credentials or secrets - [ ] No `Pulumi.*.yaml` stack config files included - [ ] Integration test added/updated in `misc/test/` (for new examples) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
pulumi-renovate
Bot
added
dependencies
Contributor
Author
|
pulumi-renovate
Bot
added
the
dependencies
Contributor
|
@copilot resolve the merge conflicts in this pull request |
Co-authored-by: rshade <131337+rshade@users.noreply.github.com>
Agent-Logs-Url: https://github.com/pulumi/examples/sessions/e87e9782-e8c1-460a-be13-90dd4e88349c Co-authored-by: rshade <131337+rshade@users.noreply.github.com>
Co-authored-by: rshade <131337+rshade@users.noreply.github.com>
Co-authored-by: rshade <131337+rshade@users.noreply.github.com>
Resolved by merging Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
rshade
added a commit
that referenced
this pull request
May 15, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | indirect | minor | `v5.18.0` -> `v5.19.0` | ### GitHub Vulnerability Alerts #### [CVE-2026-25934](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3) ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @​N0zoM1z0 for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-33762](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) ### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-34165](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) ### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-41506](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963) ### Impact `go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. **Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. ### Patches Users should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. The patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically. ### Credit Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. 🙇 #### [CVE-2026-45022](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp) ### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, `go-git`’s commit signing and verification logic operates over commit data reconstructed from `go-git`’s parsed representation rather than the original raw object bytes. As a result, `go-git` may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. ### Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. ### Credit Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to `sigstore/gitsign`, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the `go-git` project. 🙇 🥇 Thanks to @​wayphinder for reporting this to the `go-git` project. :bow: --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.0`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.0) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.18.0...v5.19.0) ##### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.18.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/2010](https://redirect.github.com/go-git/go-git/pull/2010)0 - v5: Bump sha1cd and go-billy by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2060](https://redirect.github.com/go-git/go-git/pull/2060) - v5: Align object encoding with upstream by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2065](https://redirect.github.com/go-git/go-git/pull/2065) **Full Changelog**: go-git/go-git@v5.18.0...v5.19.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImltcGFjdC9uby1jaGFuZ2Vsb2ctcmVxdWlyZWQiXX0=--> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Richard Shade <131337+rshade@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
rshade
added a commit
that referenced
this pull request
May 19, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | indirect | minor | `v5.18.0` -> `v5.19.0` | ### GitHub Vulnerability Alerts #### [CVE-2026-25934](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3) ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @​N0zoM1z0 for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-33762](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) ### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-34165](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) ### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### [CVE-2026-41506](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963) ### Impact `go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. **Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. ### Patches Users should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. The patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically. ### Credit Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. 🙇 #### [CVE-2026-45022](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp) ### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, `go-git`’s commit signing and verification logic operates over commit data reconstructed from `go-git`’s parsed representation rather than the original raw object bytes. As a result, `go-git` may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. ### Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. ### Credit Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to `sigstore/gitsign`, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the `go-git` project. 🙇 🥇 Thanks to @​wayphinder for reporting this to the `go-git` project. :bow: --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.0`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.0) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.18.0...v5.19.0) ##### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.18.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/2010](https://redirect.github.com/go-git/go-git/pull/2010)0 - v5: Bump sha1cd and go-billy by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2060](https://redirect.github.com/go-git/go-git/pull/2060) - v5: Align object encoding with upstream by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2065](https://redirect.github.com/go-git/go-git/pull/2065) **Full Changelog**: go-git/go-git@v5.18.0...v5.19.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImltcGFjdC9uby1jaGFuZ2Vsb2ctcmVxdWlyZWQiXX0=--> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Richard Shade <131337+rshade@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
rshade
added a commit
that referenced
this pull request
May 20, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | indirect | minor | `v5.18.0` -> `v5.19.0` | [CVE-2026-25934](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3) A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. Thanks @​N0zoM1z0 for finding and reporting this issue privately to the `go-git` project. [CVE-2026-33762](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. [CVE-2026-34165](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. [CVE-2026-41506](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963) `go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. **Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. Users should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. The patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically. Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. 🙇 [CVE-2026-45022](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp) `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, `go-git`’s commit signing and verification logic operates over commit data reconstructed from `go-git`’s parsed representation rather than the original raw object bytes. As a result, `go-git` may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to `sigstore/gitsign`, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the `go-git` project. 🙇 🥇 Thanks to @​wayphinder for reporting this to the `go-git` project. :bow: --- <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> [`v5.19.0`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.0) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.18.0...v5.19.0) - build: Update module github.com/go-git/go-git/v5 to v5.18.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/2010](https://redirect.github.com/go-git/go-git/pull/2010)0 - v5: Bump sha1cd and go-billy by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2060](https://redirect.github.com/go-git/go-git/pull/2060) - v5: Align object encoding with upstream by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/2065](https://redirect.github.com/go-git/go-git/pull/2065) **Full Changelog**: go-git/go-git@v5.18.0...v5.19.0 </details> --- 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImltcGFjdC9uby1jaGFuZ2Vsb2ctcmVxdWlyZWQiXX0=--> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Richard Shade <131337+rshade@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v5.18.0->v5.19.0GitHub Vulnerability Alerts
CVE-2026-25934
Impact
A vulnerability was discovered in
go-gitwhereby data integrity values for.packand.idxfiles were not properly verified. This resulted ingo-gitpotentially consuming corrupted files, which would likely result in unexpected errors such asobject not found.For context, clients fetch
packfilesfrom upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally bygo-git, or thegitcli, when new.packfiles are received and processed. The integrity checks for both files were not being verified correctly.Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of
https://or known hosts forssh://). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.Patches
Users should upgrade to
v5.16.5, or the latestv6pseudo-version, in order to mitigate this vulnerability.Workarounds
In case updating to a fixed version of
go-gitis not possible, users can run git fsck from thegitcli to check for data corruption on a given repository.Credit
Thanks @N0zoM1z0 for finding and reporting this issue privately to the
go-gitproject.CVE-2026-33762
Impact
go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.This issue only affects Git index format version 4. Earlier formats (
go-gitsupports onlyv2andv3) are not vulnerable to this issue.An attacker able to supply a crafted
.git/indexfile can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the
.gitdirectory.Patches
Users should upgrade to
v5.17.1, or the latestv6pseudo-version, in order to mitigate this vulnerability.Credit
go-git maintainers thank @kq5y for finding and reporting this issue privately to the
go-gitproject.CVE-2026-34165
Impact
A vulnerability has been identified in which a maliciously crafted
.idxfile can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.Exploitation requires write access to the local repository's
.gitdirectory, it order to create or alter existing.idxfiles.Patches
Users should upgrade to
v5.17.1, or the latestv6pseudo-version, in order to mitigate this vulnerability.Credit
The go-git maintainers thank @kq5y for finding and reporting this issue privately to the
go-gitproject.CVE-2026-41506
Impact
go-gitmay leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.If a remote repository responds to the initial
/info/refsrequest with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.
Clients using
go-gitexclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.Patches
Users should upgrade to
v5.18.0, orv6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supportedgo-gitversion.The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now
initial, while users can opt intoFollowRedirectsorNoFollowRedirectsprogrammatically.Credit
Thanks to the 3 separate reports from @celinke97, @N0zoM1z0 and @AyushParkara. Thanks for finding and reporting this issue privately to the
go-gitproject. 🙇CVE-2026-45022
Impact
go-gitmay parse malformed Git objects in a way that differs from upstream Git. Whencommitortagobjects contain ambiguous or malformed headers,go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.Additionally,
go-git’s commit signing and verification logic operates over commit data reconstructed fromgo-git’s parsed representation rather than the original raw object bytes. As a result,go-gitmay sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported
go-gitversion.Credit
Thanks to @bugbunny-research (https://bugbunny.ai/) for reporting this to
sigstore/gitsign, and to @wlynch, @patzielinski and @adityasaky for coordinating the disclosure with thego-gitproject. 🙇 🥇Thanks to @wayphinder for reporting this to the
go-gitproject. 🙇Release Notes
go-git/go-git (github.com/go-git/go-git/v5)
v5.19.0Compare Source
What's Changed
Full Changelog: go-git/go-git@v5.18.0...v5.19.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).
🚦 Automerge: Disabled because a matching PR was automerged previously.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.