forgejo/forgejo
forgejo/forgejo
108
4.5k
Fork 778
Code Issues 1.3k Pull requests 140 Projects Releases 103 Packages 1 Activity Actions 3

Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v14.0/forgejo) - autoclosed #12176

Merged
mfenniak merged 1 commit from renovate/v14.0/forgejo-go-github.com-go-git-go-git-v5-vulnerability into v14.0/forgejo 2026-04-18 05:10:09 +02:00
Conversation 0 Commits 1 Files changed 2 +3 -3
viceice-bot commented 2026-04-18 03:08:35 +02:00
Member
Copy link

This PR contains the following updates:

Package Change Age Confidence
github.com/go-git/go-git/v5 v5.17.1v5.18.0 age confidence

go-git: Credential leak via cross-host redirect in smart HTTP transport

GHSA-3xc5-wrhm-f963

More information

Details

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.18.0

Compare Source

What's Changed

  • plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in #​2004

Full Changelog: https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0

v5.17.2

Compare Source

What's Changed

⚠️ This release fixes a bug (#​1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.17.1` → `v5.18.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.18.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.1/v5.18.0?slim=true) | --- ### go-git: Credential leak via cross-host redirect in smart HTTP transport [GHSA-3xc5-wrhm-f963](https://github.com/advisories/GHSA-3xc5-wrhm-f963) <details> <summary>More information</summary> #### Details ##### Impact `go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. **Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. ##### Patches Users should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version. The patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically. ##### Credit Thanks to the 3 separate reports from @&#8203;celinke97, @&#8203;N0zoM1z0 and @&#8203;AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. :bow: #### Severity - CVSS Score: 4.7 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963](https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-3xc5-wrhm-f963) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.18.0`](https://github.com/go-git/go-git/releases/tag/v5.18.0) [Compare Source](https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0) #### What's Changed - plumbing: transport/http, Add support for followRedirects policy by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;2004](https://github.com/go-git/go-git/pull/2004) **Full Changelog**: <https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0> ### [`v5.17.2`](https://github.com/go-git/go-git/releases/tag/v5.17.2) [Compare Source](https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.17.1 \[SECURITY] (releases/v5.x) by [@&#8203;go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#&#8203;1941](https://github.com/go-git/go-git/pull/1941) - dotgit: skip writing pack files that already exist on disk by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;1944](https://github.com/go-git/go-git/pull/1944) :warning: This release fixes a bug ([#&#8203;1942](https://github.com/go-git/go-git/issues/1942)) that blocked some users from upgrading to `v5.17.1`. Thanks [@&#8203;pskrbasu](https://github.com/pskrbasu) for reporting it. :bow: **Full Changelog**: <https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTEuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMS4wIiwidGFyZ2V0QnJhbmNoIjoidjE0LjAvZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->
Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY]
All checks were successful
issue-labels / cascade (pull_request_target) Has been skipped
Details
testing / frontend-checks (pull_request) Successful in 2m17s
Details
testing / backend-checks (pull_request) Successful in 8m14s
Details
testing / test-unit (pull_request) Successful in 13m35s
Details
testing / test-mysql (pull_request) Successful in 42m17s
Details
testing / test-e2e (pull_request) Successful in 43m21s
Details
testing / test-sqlite (pull_request) Successful in 47m56s
Details
testing / test-pgsql (pull_request) Successful in 54m46s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 2m56s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 2m47s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 3m12s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 3m12s
Details
testing / security-check (pull_request) Successful in 1m49s
Details
issue-labels / backporting (pull_request_target) Has been skipped
Details
milestone / set (pull_request_target) Has been skipped
Details
issue-labels / release-notes (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 3s
Details
75a8606e27
mfenniak approved these changes 2026-04-18 05:08:52 +02:00
mfenniak left a comment
Copy link

Forgejo's usage of go-git is not affected, as the only relevant usage is the runner library parsing .gitignore. As always though, no harm in upgrading, but not a security vulnerability that is relevant for Forgejo.

Forgejo's usage of go-git is not affected, as the only relevant usage is the runner library parsing `.gitignore`. As always though, no harm in upgrading, but not a security vulnerability that is relevant for Forgejo.
mfenniak merged commit 54d13b309c into v14.0/forgejo 2026-04-18 05:10:39 +02:00
mfenniak deleted branch renovate/v14.0/forgejo-go-github.com-go-git-go-git-v5-vulnerability 2026-04-18 05:11:21 +02:00
viceice-bot changed title from Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v14.0/forgejo) to Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v14.0/forgejo) - autoclosed 2026-04-18 05:14:38 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
mfenniak
forgejo/Reviewers
Labels
Clear labels   
arch
riscv64

Archived

  
backport/v1.19
Scheduled for backport to Forgejo v1.19

Archived

  
backport/v1.20
Scheduled for backport to Forgejo v1.20

Archived

  
backport/v1.21/forgejo
Scheduled for backport to Forgejo v1.21

Archived

  
backport/v10.0/forgejo
Automated backport to v10.0

Archived

  
backport/v11.0/forgejo
Automated backport to v11.0

  
backport/v12.0/forgejo
Automated backport to v12.0

Archived

  
backport/v13.0/forgejo
Automated backport to v13.0

Archived

  
backport/v14.0/forgejo
Automated backport to v14.0

Archived

  
backport/v15.0/forgejo
Automated backport to v15.0

  
backport/v7.0/forgejo
Scheduled for backport to Forgejo v7.0

Archived

  
backport/v8.0/forgejo
Scheduled for backport to Forgejo v8.0

Archived

  
backport/v9.0/forgejo
Scheduled for backport to Forgejo v9.0

Archived

  
breaking
The release containing this change is not backward compatible

  
bug
Something is not working

Archived

  
bug
confirmed
 it can be reproduced

  
bug
duplicate
 bug has already been reported in the Forgejo tracker

  
bug
needs-more-info
 the information provided does not contain enough details

  
bug
new-report
 bug has just been reported and need triage (default label on issue creation)

  
bug
reported-upstream
 bug cannot be fixed within Forgejo easily, it has been reported upstream

  
code/actions
Forgejo Actions feature

  
code/api
API

  
code/auth
Forgejo Authentication

  
code/auth/faidp
Forgejo as Identity Provider (in OAuth/OIDC flow)

  
code/auth/farp
Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  
code/email
Everything related to email in Forgejo

  
code/federation
Federation

  
code/git
Related to the Git backend in Forgejo

  
code/migrations
Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  
code/packages
Forgejo package and container registry

  
code/wiki
  
database
MySQL
 https://www.mysql.com/

  
database
PostgreSQL
 https://www.postgresql.org/

  
database
SQLite
 https://sqlite.org/

  
dependency-upgrade
https://codeberg.org/forgejo/forgejo/issues/2779

  
dependency
Chi
 https://github.com/go-chi/chi/

Archived

  
dependency
Chroma
 https://github.com/alecthomas/chroma/

Archived

  
dependency
F3
 https://f3.forgefriends.org/

  
dependency
ForgeFed
 https://forgefed.org

  
dependency
garage
 https://git.deuxfleurs.fr/Deuxfleurs/garage

  
dependency
Gitea
 https://github.com/go-gitea/gitea

Archived

  
dependency
Golang
 https://go.dev/

  
Discussion

   
duplicate
This issue or pull request already exists

  
enhancement/feature
New feature

  
forgejo/accessibility
Accessibility (a11y)

  
forgejo/branding
Branding (logo, name, tagline etc.)

  
forgejo/ci
Forgejo Actions CI configuration

  
forgejo/commit-graph
The commit graph feature and page.

  
forgejo/documentation

   
forgejo/furnace cleanup
Keeping Forgejo in sync with its dependencies and contributing back to them

Archived

  
forgejo/i18n
t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  
forgejo/interop
Interoperability with other services: Webhooks, bridges, integrations

  
forgejo/moderation
Moderation

  
forgejo/privacy
Privacy first

  
forgejo/release
Release management

  
forgejo/scaling
Performance and scaling

  
forgejo/security
Security (please disclose responsibly)

  
forgejo/ui
User interface

  
Gain
High
 User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  
Gain
Nice to have
 This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  
Gain
Undefined
 Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  
Gain
Very High
 User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  
good first issue
Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  
i18n/backport-stable
This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  
impact
large
 Large impact: Potential data loss, many users affected, major degradation in UX.

  
impact
medium
 Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  
impact
small
 Small impact: No data loss, workarounds might be available, affects few users.

  
impact
unknown
 Report was not yet triaged to assess impact.

  
Incompatible license
This pull request contains changes that are not (yet) compatible with the current Forgejo license

  
issue
closed
 The issue was resolved in the repository of the dependency

  
issue
do-not-exist-yet
 An issue should be created in the respository of the dependency

  
issue
open
 An open issue exists in the upstream repository of the dependency

  
manual test
Pull requests that have been merged with a manual test

Archived

  
Manually tested during feature freeze
The manual test instructions were followed

  
OS
FreeBSD
 Specific to the FreeBSD Operating System

  
OS
Linux
 Specific to (GNU/)Linux Operating Systems

  
OS
macOS
 Specific to the MacOS Operating System

  
OS
Windows
 Specific to the Windows Operating System

  
problem
A user report about a problem. Needs to be triaged to find potential solutions.

  
QA

   
regression
found in the version of the milestone and not before

  
release blocker
Issues that must be fixed before the release can be published

  
Release Cycle
Feature Freeze
 Only bug fixes with automated tests (except for CSS/JavaScript)

  
release-blocker
v7.0
 Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Archived

  
release-blocker
v7.0.1
 Issues that must be fixed before Forgejo v7.0.1 can be released

Archived

  
release-blocker
v7.0.2
 Issues that must be fixed before Forgejo v7.0.2 can be released

Archived

  
release-blocker
v7.0.3
 Issues that must be fixed before Forgejo v7.0.3 can be released

Archived

  
release-blocker
v7.0.4
 Issues that must be fixed before Forgejo v7.0.4 can be released

Archived

  
release-blocker
v8.0.0
 Issues that must be fixed before Forgejo v8.0.0 can be released

Archived

  
release-blocker/v9.0.0
Issues that must be fixed before Forgejo v9.0.0 can be released

Archived

  
run-all-playwright-tests
Add this label to a PR to run all playwright tests manually.

  
run-end-to-end-tests
Trigger additional tests on the PR when it is ready to be merged

  
test
manual
 manual testing has been documented

  
test
needed
 test should be added

  
test
needs-help
 help needed to add a test

  
test
not-needed
 no additional test is needed

  
test
present
 test has been added

  
untested
Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Archived

  
User research - time-tracker
Time tracking feature for issues and the JS stopwatch.

  
valuable code
This PR was closed because the implementation is incomplete

  
worth a release-note
Add this PR to the release notes

  
User research - Accessibility
Requires input about accessibility features, likely involves user testing.

  
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.

  
User research - Errors
How to deal with errors in the application and write helpful error messages.

  
User research - Filters
How filter and search is being worked with.

  
User research - Future backlog
The issue might be inspiring for future design work.

  
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc

  
User research - Labels
Active research about Labels

  
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research

  
User research - Needs input
Use this label to let the User Research team know their input is requested.

  
User research - Notifications/Dashboard
Research on how users should know what to do next.

  
User research - Rendering
Text rendering, markup languages etc

  
User research - Repo creation
Active research about the New Repo dialog.

  
User research - Repo units
The repo sections, disabling them and the "Add more" button.

  
User research - Security

   
User research - Settings (in-app)
How to structure in-app settings in the future?

No labels
arch
riscv64
backport/v1.19
backport/v1.20
backport/v1.21/forgejo
backport/v10.0/forgejo
backport/v11.0/forgejo
backport/v12.0/forgejo
backport/v13.0/forgejo
backport/v14.0/forgejo
backport/v15.0/forgejo
backport/v7.0/forgejo
backport/v8.0/forgejo
backport/v9.0/forgejo
breaking
bug
bug
confirmed
bug
duplicate
bug
needs-more-info
bug
new-report
bug
reported-upstream
code/actions
code/api
code/auth
code/auth/faidp
code/auth/farp
code/email
code/federation
code/git
code/migrations
code/packages
code/wiki
database
MySQL
database
PostgreSQL
database
SQLite
dependency-upgrade
dependency
Chi
dependency
Chroma
dependency
F3
dependency
ForgeFed
dependency
garage
dependency
Gitea
dependency
Golang
Discussion
duplicate
enhancement/feature
forgejo/accessibility
forgejo/branding
forgejo/ci
forgejo/commit-graph
forgejo/documentation
forgejo/furnace cleanup
forgejo/i18n
forgejo/interop
forgejo/moderation
forgejo/privacy
forgejo/release
forgejo/scaling
forgejo/security
forgejo/ui
Gain
High
Gain
Nice to have
Gain
Undefined
Gain
Very High
good first issue
i18n/backport-stable
impact
large
impact
medium
impact
small
impact
unknown
Incompatible license
issue
closed
issue
do-not-exist-yet
issue
open
manual test
Manually tested during feature freeze
OS
FreeBSD
OS
Linux
OS
macOS
OS
Windows
problem
QA
regression
release blocker
Release Cycle
Feature Freeze
release-blocker
v7.0
release-blocker
v7.0.1
release-blocker
v7.0.2
release-blocker
v7.0.3
release-blocker
v7.0.4
release-blocker
v8.0.0
release-blocker/v9.0.0
run-all-playwright-tests
run-end-to-end-tests
test
manual
test
needed
test
needs-help
test
not-needed
test
present
untested
User research - time-tracker
valuable code
worth a release-note
User research - Accessibility
User research - Blocked
User research - Community
User research - Config (instance)
User research - Errors
User research - Filters
User research - Future backlog
User research - Git workflow
User research - Labels
User research - Moderation
User research - Needs input
User research - Notifications/Dashboard
User research - Rendering
User research - Repo creation
User research - Repo units
User research - Security
User research - Settings (in-app)
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/forgejo!12176
No description provided.