Fluid Attacks Database

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/go-git/go-git/v5	>=0 <5.19.1	5.19.1
go	github.com/go-git/go-git/v6	>=0 <6.0.0-alpha.4	6.0.0-alpha.4
go	github.com/go-git/go-git	>=0 <=4.7.0	-
debian 12	golang-github-go-git-go-git	=5.11.0-1 \|\| =5.11.0-2 \|\| =5.11.0-3 \|\| =5.11.0-4 \|\| =5.12.0-1 \|\| =5.13.2-1 \|\| =5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| =5.19.1-1 \|\| =5.4.2-3 \|\| =5.4.2-4	-
debian 13	golang-github-go-git-go-git	=5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| =5.19.1-1	-
debian 14	golang-github-go-git-go-git	=5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| >=0 <5.19.1-1	5.19.1-1
debian 14	golang-github-go-git-go-git-v6	=6.0.0~alpha.4-1 \|\| =6.0.0~alpha4-1 \|\| =6.0.0~alpha4-2 \|\| =6~git20260305.2083cf94-1 \|\| =6~git20260305.2083cf94-2 \|\| =6~git20260305.2083cf94-3	-

Aliases

1. CVE-2026-455702. NVD-2026-455703. OSV-2026-455704. OSV-DEBIAN-2026-455705. GHSA-m7cr-m3pv-hgrp6. GCVE-2026-455707. SECURITY-TRACKER-CVE-2026-45570

References

1. https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.