USN-8088-1

Description

golang-github-go-git-go-git vulnerabilities Ionut Lalu discovered that go-git incorrectly handled certain specially crafted Git server responses. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-49568, CVE-2025-21614) Ionut Lalu discovered that go-git incorrectly handled file system paths when using the ChrootOS implementation. A remote attacker could possibly use this issue to perform a path traversal and create or modify arbitrary files, leading to remote code execution. (CVE-2023-49569) It was discovered that go-git did not properly sanitize arguments when invoking git-upload-pack using the file transport protocol. An attacker could possibly use this issue to inject arbitrary flag values when interacting with local Git repositories. (CVE-2025-21613) It was discovered that go-git did not properly verify integrity checks for pack and index files. An attacker could possibly use this issue to cause go-git to process corrupted repository data, resulting in unexpected errors or an incorrect repository state. (CVE-2026-25934)

Affected Systems

• ubuntu•golang-github-go-git-go-git

  < 5.4.2-3ubuntu0.1~esm1 | < 5.4.2-4ubuntu0.24.04.3+esm2

References (6)

• https://ubuntu.com/security/notices/USN-8088-1
• https://ubuntu.com/security/CVE-2023-49568
• https://ubuntu.com/security/CVE-2023-49569
• https://ubuntu.com/security/CVE-2025-21613
• https://ubuntu.com/security/CVE-2025-21614
• https://ubuntu.com/security/CVE-2026-25934