CVE-2026-25934 in go-git
Summary
by MITRE • 02/10/2026
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-25934 affects go-git, a widely-used pure Go implementation of the Git version control system. This library serves as a foundational component for numerous applications and tools that require Git functionality within Go environments, making its security implications particularly significant. The flaw resides in the library's handling of packfile integrity verification, specifically concerning .pack and .idx file validation mechanisms that are critical for maintaining data consistency in distributed version control systems. Prior to version 5.16.5, the implementation failed to properly validate the integrity checks that are standard practice in Git operations, creating a potential attack surface where malicious or corrupted data could be processed without detection.
The technical nature of this vulnerability stems from the improper verification of checksums within Git packfiles and their corresponding index files. In standard Git operations, packfiles (.pack) contain compressed objects with embedded checksums that verify data integrity during transfer and storage. The index files (.idx) are generated locally to provide fast access to objects within packfiles, and they also contain integrity verification data. When go-git fails to properly validate these checksums, it allows corrupted data to be consumed by the library, potentially leading to object not found errors and other operational failures. This issue represents a deviation from the expected Git protocol behavior where integrity verification is mandatory for data consistency. The vulnerability aligns with CWE-347, which addresses improper verification of cryptographic signatures or checksums, and specifically relates to the lack of proper input validation in file processing operations.
The operational impact of this vulnerability extends beyond simple error conditions to potentially compromise the integrity of Git repositories managed through affected applications. When corrupted packfiles are processed without proper validation, it can lead to inconsistent repository states, failed operations, and in some scenarios, could enable attackers to manipulate repository contents through carefully crafted corrupted data. This risk is particularly concerning in environments where go-git is used for automated deployment pipelines, continuous integration systems, or any scenario where repository integrity is paramount. The vulnerability essentially undermines the fundamental security guarantees that Git provides through its built-in integrity checking mechanisms, potentially allowing for silent data corruption that could go undetected until much later in the development lifecycle. Attackers could exploit this weakness by providing maliciously crafted packfiles that bypass the integrity checks, leading to potential data manipulation or service disruption.
The fix implemented in go-git version 5.16.5 addresses the core issue by restoring proper verification of integrity values in both .pack and .idx files. This update ensures that checksums are properly validated before any data processing occurs, maintaining the expected Git protocol behavior and restoring the security guarantees that users depend upon. Organizations using go-git should immediately upgrade to version 5.16.5 or later to mitigate this vulnerability. The remediation process involves simply updating the library dependency, but system administrators should also consider implementing additional monitoring for any unusual Git operations or errors that might have occurred during the vulnerability window. This vulnerability demonstrates the critical importance of maintaining proper integrity verification in distributed systems and aligns with ATT&CK technique T1566.002, which involves the exploitation of vulnerabilities in software libraries to gain unauthorized access or manipulate data integrity. The incident underscores the necessity of rigorous security testing for core infrastructure components and the importance of keeping third-party dependencies up to date with security patches.