CVE-2026-25934

CVE-2026-25934 is a medium-severity vulnerability in Go-git Project Go-git with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-354.

Key facts

Description

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

Frequently asked questions

What is CVE-2026-25934?
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
How severe is CVE-2026-25934?
CVE-2026-25934 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2026-25934 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-25934?
CVE-2026-25934 affects Go-git Project Go-git. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-25934?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-25934 have an EU (EUVD) identifier?
Yes. CVE-2026-25934 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6247.
When was CVE-2026-25934 published?
CVE-2026-25934 was published on 2026-02-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Go-git Project Go-git

All CVEs affecting Go-git Project Go-git →

Other CWE-354 vulnerabilities

Browse all CWE-354 vulnerabilities →