CVE-2026-25934 in go-gitinfo

Zusammenfassung

von MITRE • 10.02.2026

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

09.02.2026

Veröffentlichung

10.02.2026

Moderieren

akzeptiert

Eintrag

VDB-345078

CPE

bereit

CWE

CWE-354 (bestätigt)

CVSS

4.3 (NVD)

EPSS

0.00007

KEV

nein

Aktivitäten

very low

Sektor

Hostingprovider

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-25934
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-25934
CVE Details	https://www.cvedetails.com/cve/CVE-2026-25934/

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!