CVE-2026-25934
CVE-2026-25934 is a medium-severity vulnerability in Go-git Project Go-git with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-354.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- EPSS exploit prediction: 0% (3rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-6247
- Weakness: CWE-354
- Affected product: Go-git Project Go-git
- Published:
- Last modified:
Description
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Frequently asked questions
- What is CVE-2026-25934?
- go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
- How severe is CVE-2026-25934?
- CVE-2026-25934 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2026-25934 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-25934?
- CVE-2026-25934 affects Go-git Project Go-git. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-25934?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-25934 have an EU (EUVD) identifier?
- Yes. CVE-2026-25934 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6247.
- When was CVE-2026-25934 published?
- CVE-2026-25934 was published on 2026-02-09 and last updated on 2026-06-17.
References
- https://github.com/go-git/go-git/releases/tag/v5.16.5
- https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3
Affected products (1)
- cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
More vulnerabilities in Go-git Project Go-git
- CVE-2025-21613 — Critical (CVSS 9.8): go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was…
- CVE-2023-49569 — Critical (CVSS 9.8): A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker…
- CVE-2026-45570 — Critical (CVSS 9.6): go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH…
- CVE-2026-45022 — High (CVSS 7.5): go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may…
- CVE-2025-21614 — High (CVSS 7.5): go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability…
- CVE-2023-49568 — High (CVSS 7.5): A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an…
All CVEs affecting Go-git Project Go-git →
Other CWE-354 vulnerabilities
- CVE-2025-11543 — Critical (CVSS 9.8): Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may…
- CVE-2024-25678 — Critical (CVSS 9.8): In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.
- CVE-2023-33668 — Critical (CVSS 9.8): DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover…
- CVE-2017-15994 — Critical (CVSS 9.8): rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to…
- CVE-2026-49230 — Critical (CVSS 9.1): Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default…
- CVE-2026-34182 — Critical (CVSS 9.1): Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the…