216.73.216.78

CVE-2026-45022

· Published 27/05/2026 15:16 · Modified 27/05/2026 15:16

Labels: CVE-2026-45022 2026-05-27CVE-2026-45022CWE-180[email protected]

Essential information

Published
27/05/2026 15:16
Modified
27/05/2026 15:16
Author
Creator
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
go-git / go-git cpe:2.3:a:go-git:go-git:<5.19.0:*:*:*:*:*:*:*
go-git / go-git cpe:2.3:a:go-git:go-git:<6.0.0-alpha.3:*:*:*:*:*:*:*

References