Arbitrary Value Injection Vulnerability in go-git Prior to v5.13

CVE-2025-21613

What is CVE-2025-21613?

CVE-2025-21613 is a vulnerability found in go-git, a versatile library written in Go that provides implementations of Git functionalities. This specific flaw represents an arbitrary value injection vulnerability that affects versions prior to v5.13. By exploiting this vulnerability, an attacker could manipulate git-upload-pack flags, particularly through the file transport protocol, leading to severe implications for organizations that rely on go-git for version control operations.

Technical Details

The vulnerability arises from improper handling of arguments within the go-git library when utilizing the file transport protocol. An attacker can inject arbitrary values into the git-upload-pack command, potentially altering the behavior of the command execution. The vulnerability is confined to versions of go-git released before v5.13.0, which has introduced a fix for this issue. This flaw demonstrates the importance of rigorous input validation and secure coding practices in software development.

Potential Impact of CVE-2025-21613

1. Unauthorized Code Execution: Successful exploitation could allow attackers to execute unauthorized commands within the context of git operations, potentially leading to system compromise.

2. Data Integrity Risks: The ability to manipulate git-upload-pack flags can compromise the integrity of repository data, enabling attackers to alter or corrupt data stored in repositories.

3. Increased Attack Surface: Organizations utilizing affected versions of go-git may face increased risks, as attackers could leverage this vulnerability to facilitate further attacks or gain unauthorized access to system resources.

References