Skip to content

Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (release-v0.6)#3293

Closed
renovate[bot] wants to merge 1 commit into
release-v0.6from
renovate/release-v0.6-go-github.com-go-git-go-git-v5-vulnerability
Closed

Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (release-v0.6)#3293
renovate[bot] wants to merge 1 commit into
release-v0.6from
renovate/release-v0.6-go-github.com-go-git-go-git-v5-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 11, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.18.0v5.19.0 age adoption passing confidence

go-git: Credential leak via cross-host redirect in smart HTTP transport

CVE-2026-41506 / GHSA-3xc5-wrhm-f963

More information

Details

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

CVE-2026-45022 / GHSA-389r-gv7p-r3rp

More information

Details

Impact

go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.

Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.

This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the go-git project. 🙇 🥇

Thanks to @​wayphinder for reporting this to the go-git project. 🙇

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.19.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 11, 2026

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 10 additional dependencies were updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.8.0 -> v5.9.0
golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 -> v0.0.0-20260410095643-746e56fc9e2f
github.com/cyphar/filepath-securejoin v0.4.1 -> v0.6.1
github.com/pjbgf/sha1cd v0.3.2 -> v0.6.0
golang.org/x/crypto v0.46.0 -> v0.50.0
golang.org/x/mod v0.34.0 -> v0.35.0
golang.org/x/net v0.48.0 -> v0.53.0
golang.org/x/sys v0.41.0 -> v0.43.0
golang.org/x/term v0.38.0 -> v0.42.0
golang.org/x/text v0.32.0 -> v0.36.0
File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 11 additional dependencies were updated

Details:

Package Change
golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 -> v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/net v0.52.0 -> v0.53.0
github.com/cyphar/filepath-securejoin v0.4.1 -> v0.6.1
github.com/go-git/go-billy/v5 v5.8.0 -> v5.9.0
github.com/pjbgf/sha1cd v0.3.2 -> v0.6.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/mod v0.34.0 -> v0.35.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
golang.org/x/tools v0.43.0 -> v0.44.0

@codecov
Copy link
Copy Markdown

codecov Bot commented May 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
generative 70.92% <ø> (ø)
integration 70.92% <ø> (ø)
unit 70.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@st3penta st3penta closed this May 12, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 12, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v5.19.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/release-v0.6-go-github.com-go-git-go-git-v5-vulnerability branch May 12, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release-v0.6 renovate size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@st3penta