CVE-2025-21614

Aliases:GHSA-r9px-m959-cxf4GO-2025-3367

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2025-21614 OPENSUSE-SU-2025:0056-1 OPENSUSE-SU-2025:14624-1 OPENSUSE-SU-2025:14634-1 OPENSUSE-SU-2025:15487-1 OPENSUSE-SU-2025:20117-1

Analyzed

Published: 06 Jan 2025, 16:20

Last modified:26 Aug 2025, 19:48

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.23% LOW

0% probability +0.13%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Jan 2025, 16:20

Published

Vulnerability first disclosed

26 Aug 2025, 19:48

Last Modified

Vulnerability information updated

Description

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.23%• Percentile: 46%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

go-git_project•go-git
< 5.13.0
go-git•go-git
≥ 4.0.0, < 5.13.0
github.com/go-git•go-git
≥ 4.0.0, ≤ 4.13.1
github.com/go-git/go-git•v4
≥ 4.0.0
github.com/go-git/go-git•v5
< 5.13.0
gopkg.in/src-d•go-git.v4
≥ 4.0.0, ≤ 4.13.1 | ≥ 4.0.0