CVE-2026-25934

Aliases:GHSA-37cx-329c-33x3GO-2026-4473
Advisory lineage Upstream: 0 Downstream: 7
Analyzed
Published: 09 Feb 2026, 22:13
Last modified:11 Feb 2026, 21:23

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
<0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Feb 2026, 22:13
Published
Vulnerability first disclosed
11 Feb 2026, 21:23
Last Modified
Vulnerability information updated

Description

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.01% Percentile: 1%

Techniques & Countermeasures

  • CWE-354Improper Validation of Integrity Check Value

    The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Affected Systems

  • go-git_projectgo-git

    < 5.16.5

  • go-gitgo-git

    < 5.16.5

  • github.com/go-gitgo-git

    all

  • github.com/go-git/go-gitv4

    all

  • github.com/go-git/go-gitv5

    < 5.16.5

References (4)