Sign In

CVE-2025-21613

ADVISORY - github

Summary

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

EPSS Score: 0.00504 (0.653)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ADVISORY - github

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in