CVE-2023-49568

Aliases:GHSA-mw99-9chc-xw7rGO-2024-2466
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 12 Jan 2024, 10:36
Last modified:17 Jun 2025, 21:09

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.11% LOW
0% probability -0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Jan 2024, 10:36
Published
Vulnerability first disclosed
17 Jun 2025, 21:09
Last Modified
Vulnerability information updated

Description

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.11% Percentile: 29%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • go-git_projectgo-git

    ≥ 4.0.0, < 5.11.0

  • go-gitgo-git

    5.11.0

  • github.com/go-git/go-gitv5

    ≥ 5.0.0, < 5.11.0 | < 5.11.0

  • gopkg.in/src-dgo-git.v4

    ≥ 4.7.1 | ≥ 4.7.1, ≤ 4.13.1

References (3)