Broken Seals: How go-git Forgot to Check the Receipt (CVE-2026-25934)
Vulnerability ID: CVE-2026-25934
CVSS Score: 4.3
Published: 2026-02-10
A fundamental data integrity flaw in the popular go-git library allowed for the consumption of corrupted or malicious Git packfiles without detection. By failing to verify checksums in .pack and .idx files, the library broke the core promise of Git's content-addressable storage model.
TL;DR
The go-git library, used extensively in the Go ecosystem for Git operations, failed to validate SHA-1 checksums when processing packfiles. This means an attacker (or a bad disk sector) could feed the library corrupted data, and go-git would happily commit it to your object database without raising an error. Fixed in v5.16.5.
Technical Details
- CWE ID: CWE-354
- Attack Vector: Network
- CVSS Score: 4.3 (Medium)
- Impact: Data Integrity Loss
- Exploit Status: Theoretical / PoC
- Patch Date: 2026-02-09
Affected Systems
- Go-based CI/CD systems (e.g., ArgoCD, Flux - depending on version deps)
- Vulnerability scanners using go-git
- Custom DevOps tooling written in Go
- Git-based CMS or Wiki software
-
go-git/go-git: < 5.16.5 (Fixed in:
5.16.5)
Exploit Details
- Theoretical: MITM injection of malformed packfiles to cause integrity drift.
Mitigation Strategies
- Update go-git to version 5.16.5 or later.
- Force re-cloning of critical repositories to ensure clean state.
- Implement application-level hash verification for critical artifacts.
Remediation Steps:
- Identify all Go services using
github.com/go-git/go-git/v5. - Run
go get github.com/go-git/go-git/v5@v5.16.5in each project root. - Run
go mod tidyand commitgo.sumchanges. - Redeploy services.
- Run
git fsckon any persistent volumes storing Git data.
References
Read the full report for CVE-2026-25934 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)