build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by go-git-renovate[bot] · Pull Request #1743 · go-git/go-git

go-git-renovate · 2025-11-23T20:48:55Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-git/go-git/v5	`v5.12.0` -> `v5.13.0`

go-git has an Argument Injection via the URL field

CVE-2025-21613 / GHSA-v725-9546-7q7m / GO-2025-3368

More information

Details

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

Severity

CVSS Score: 9.2 / 10 (Critical)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

go-git clients vulnerable to DoS via maliciously crafted Git server replies

CVE-2025-21614 / GHSA-r9px-m959-cxf4 / GO-2025-3367

More information

Details

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Argument Injection via the URL field in github.com/go-git/go-git

CVE-2025-21613 / GHSA-v725-9546-7q7m / GO-2025-3368

More information

Details

Argument Injection via the URL field in github.com/go-git/go-git

Severity

Unknown

References

https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git

CVE-2025-21614 / GHSA-r9px-m959-cxf4 / GO-2025-3367

More information

Details

Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git

Severity

Unknown

References

https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

`v5.13.0`

Compare Source

What's Changed

build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @dependabot in #1065
build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1068
build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in #1071
Properly support skipping of non-mandatory extensions by @codablock in #1066
git: Refine some codes in test and non-test. by @onee-only in #1077
plumbing: protocol/packp, client-side filter capability support by @edigaryev in #1000
build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @dependabot in #1078
plumbing: fix sideband demux on flush by @aymanbagabas in #1084
storage: dotgit, head reference usually comes first by @aymanbagabas in #1085
build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in #1091
build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in #1094
build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #1093
git: Added an example for Repository.Branches by @johnmatthiggins in #1088
git: worktree_commit, Modify checking empty commit. Fixes #723 by @onee-only in #1050
plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @ggambetti in #1100
build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @dependabot in #1106
build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in #1107
Bumps Go versions and go-billy by @pjbgf in #1056
_examples: Fixed a dead link COMPATIBILITY.md by @gecko655 in #1109
build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @dependabot in #1115
build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @hbelmiro in #1124
build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #1104
Add option approximating git clean -x flag. by @msuozzo in #995
Revert "Add option approximating git clean -x flag." by @pjbgf in #1129
Fix reference updated concurrently error for the filesystem storer by @Javier-varez in #1116
build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #1134
utils: merkletrie, Align error message with upstream by @pjbgf in #1142
plumbing: transport/file, Change paths to absolute by @pjbgf in #1141
plumbing: gitignore, Fix loading of ignored .gitignore files. by @Achilleshiel in #1114
build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @dependabot in #1147
plumbing: transport/ssh, Add support for SSH @cert-authority. by @Javier-varez in #1157
build: run example tests during CI workflow by @crazybolillo in #1030
storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @SatelliteMind in #1138
git: Fix fetching missing commits by @AriehSchneier in #1032
plumbing: format/packfile, remove duplicate checks in findMatch() by @edigaryev in #1152
git: worktree, Fix file reported as Untracked while it is committed by @rodrigocam in #1023
build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in #1160
plumbing: filemode, Remove check for setting size of .git/index file by @nicholasSUSE in #1159
build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #1163
Fix some lint warning and increase stalebot to 180 days by @pjbgf in #1128
adjust path extracted from file: url on Windows by @tomqwpl in #416
build: bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in #1164
Add RestoreStaged to Worktree that mimics the behaviour of git restore --staged ... by @ben-tbotlabs in #493
plumbing: signature, support the same x509 signature formats as git by @yoavamit in #1169
fix: allow discovery of non bare repos in fsLoader by @jakobmoellerdev in #1170
build: bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in #1178
build: bump golang.org/x/text from 0.17.0 to 0.18.0 by @dependabot in #1179
build: bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #1184
Consume push URLs when they are provided by @mcepl in #1191
*: use gocheck's MkDir instead of TempDir for tests. Fixes #807 by @uragirii in #1194
build: bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #1200
worktree: .git/index not correctly generated when running on Windows by @BeChris in #1198
git: worktree, Fix sparse reset. Fixes #90 by @onee-only in #1101
git: worktree, Pass context on updateSubmodules. Fixes #1098 by @onee-only in #1154
build: bump github.com/go-git/go-billy/v5 from 5.5.1-0.20240427054813-8453aa90c6ec to 5.6.0 by @dependabot in #1211
Update contributing guidelines by @pjbgf in #1217
build: bump github.com/ProtonMail/go-crypto from 1.0.0 to 1.1.1 by @dependabot in #1222
build: bump golang.org/x/sys from 0.26.0 to 0.27.0 by @dependabot in #1223
build: bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot in #1221
build: bump github.com/ProtonMail/go-crypto from 1.1.1 to 1.1.2 by @dependabot in #1226
build: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in #1232
build: bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 by @dependabot in #1231
build: General improvements around fuzzing by @pjbgf in #1229
build: bump golang.org/x/net from 0.30.0 to 0.32.0 by @dependabot in #1241
build: group dependabot updates for golang.org by @AriehSchneier in #1243
build: bump github/codeql-action from 2.22.11 to 3.27.6 by @dependabot in #1244
build: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /cli/go-git by @dependabot in #1246
build: bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #1247
build: bump github.com/gliderlabs/ssh from 0.3.7 to 0.3.8 by @dependabot in #1248
add comment preventing people from creating invalid trees by @petar in #732
build: bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #1250
plumbing: Properly encode index version 4 by @BeChris in #1251
Fix typos by @deining in #1148
Fix reset files in subfolders by @linglo in #1177
git: update switch cases by @hezhizhen in #1182
build: bump golang.org/x/net from 0.32.0 to 0.33.0 in the golang-org group by @dependabot in #1256
fix(1212): Fix invalid reference name error while cloning branches containing /- by @varmakarthik12 in #1257
pktline : accept upercase hexadecimal value as pktline length information by @BeChris in #1220
build: bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #1260
build: bump github.com/elazarl/goproxy from 0.0.0-20240618083138-03be62527ccb to 1.2.1 by @dependabot in #1262
git: worktree_commit, sanitize author and commiter name and email before creating the commit object. Fixes #680 by @BeChris in #1261

New Contributors

@johnmatthiggins made their first contribution in #1088
@ggambetti made their first contribution in #1100
@gecko655 made their first contribution in #1109
@hbelmiro made their first contribution in #1124
@msuozzo made their first contribution in #995
@Javier-varez made their first contribution in #1116
@Achilleshiel made their first contribution in #1114
@crazybolillo made their first contribution in #1030
@SatelliteMind made their first contribution in #1138
@rodrigocam made their first contribution in #1023
@nicholasSUSE made their first contribution in #1159
@tomqwpl made their first contribution in #416
@ben-tbotlabs made their first contribution in #493
@yoavamit made their first contribution in #1169
@uragirii made their first contribution in #1194
@petar made their first contribution in #732
@deining made their first contribution in #1148
@linglo made their first contribution in #1177
@varmakarthik12 made their first contribution in #1257

Full Changelog: v5.12.0...v5.13.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

go-git-renovate · 2025-11-23T20:48:57Z

ℹ Artifact update notice

File name: cli/go-git/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

6 additional dependencies were updated

Details:

Package	Change
`github.com/ProtonMail/go-crypto`	`v1.0.0` -> `v1.1.3`
`github.com/cyphar/filepath-securejoin`	`v0.2.4` -> `v0.2.5`
`github.com/go-git/go-billy/v5`	`v5.5.0` -> `v5.6.0`
`github.com/skeema/knownhosts`	`v1.2.2` -> `v1.3.0`
`golang.org/x/mod`	`v0.12.0` -> `v0.17.0`
`golang.org/x/tools`	`v0.13.0` -> `v0.21.1-0.20240508182429-e35e4ccd0d2d`

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.3` -> `v5.16.4` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.16.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.16.3/v5.16.4?slim=true) | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.16.4`](https://github.com/go-git/go-git/releases/tag/v5.16.4) [Compare Source](go-git/go-git@v5.16.3...v5.16.4) #### What's Changed - backport plumbing: format/idxfile, prevent panic by [@swills](https://github.com/swills) in [#1732](go-git/go-git#1732) - \[backport] build: test, Fix build on Windows. by [@pjbgf](https://github.com/pjbgf) in [#1734](go-git/go-git#1734) - build: Update module golang.org/x/net to v0.38.0 \[SECURITY] (releases/v5.x) by [@go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#1742](go-git/go-git#1742) - build: Update module github.com/cloudflare/circl to v1.6.1 \[SECURITY] (releases/v5.x) by [@go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#1741](go-git/go-git#1741) - build: Update module github.com/go-git/go-git/v5 to v5.13.0 \[SECURITY] (releases/v5.x) by [@go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#1743](go-git/go-git#1743) **Full Changelog**: <go-git/go-git@v5.16.3...v5.16.4> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1269 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>

go-git-renovate bot added the dependencies Pull requests that update a dependency file label Nov 23, 2025

go-git-renovate bot changed the title ~~fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] (releases/v5.x)~~ build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) Nov 23, 2025

go-git-renovate bot force-pushed the renovate/releases/v5.x-go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from b7b627b to a8e82da Compare November 23, 2025 21:58

build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]

3e752f0

pjbgf force-pushed the renovate/releases/v5.x-go-github.com-go-git-go-git-v5-vulnerability branch from 06541f2 to 3e752f0 Compare November 23, 2025 22:26

pjbgf approved these changes Nov 23, 2025

View reviewed changes

pjbgf merged commit de8ecc3 into releases/v5.x Nov 23, 2025
31 of 32 checks passed

pjbgf deleted the renovate/releases/v5.x-go-github.com-go-git-go-git-v5-vulnerability branch November 23, 2025 22:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x)#1743

build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x)#1743
pjbgf merged 1 commit intoreleases/v5.xfrom
renovate/releases/v5.x-go-github.com-go-git-go-git-v5-vulnerability

go-git-renovate bot commented Nov 23, 2025 •

edited

Loading

Uh oh!

go-git-renovate bot commented Nov 23, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

go-git-renovate bot commented Nov 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

go-git has an Argument Injection via the URL field

Details

Impact

Affected versions

Workarounds

Credit

Severity

References

go-git clients vulnerable to DoS via maliciously crafted Git server replies

Details

Impact

Patches

Workarounds

Credit

Severity

References

Argument Injection via the URL field in github.com/go-git/go-git

Details

Severity

References

Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git

Details

Severity

References

Release Notes

v5.13.0

What's Changed

New Contributors

Configuration

Uh oh!

go-git-renovate bot commented Nov 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ Artifact update notice

File name: cli/go-git/go.mod

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

go-git-renovate bot commented Nov 23, 2025 •

edited

Loading

`v5.13.0`

go-git-renovate bot commented Nov 23, 2025 •

edited

Loading