go-git Improper Parsing of Malformed Git Objects

The go-git library, a Git implementation written in Go, is vulnerable to improper parsing of specially crafted Git objects. Specifically, when commit or tag objects contain ambiguous or malformed headers, go-git may expose values differently from how Git itself would interpret or reject the same object. The vulnerability also affects commit signing and verification logic, potentially leading to the acceptance of signatures for commits whose displayed metadata differs from the original signed object. This issue impacts go-git/go-git/v6 versions from 6.0.0-alpha.1 to 6.0.0-alpha.2 and go-git/go-git/v5 versions prior to 5.19.0. This vulnerability matters because it can lead to security bypasses where a user trusts a commit that has been altered, leading to supply chain attacks or other forms of code compromise. The CVE associated with this vulnerability is CVE-2026-45022.

Attack Chain

1. An attacker crafts a malicious Git repository containing a commit or tag object with malformed headers.
2. The malformed object is designed to exploit the parsing differences between go-git and upstream Git.
3. A user or system clones or fetches the malicious repository using a vulnerable version of go-git.
4. go-git parses the malformed object, leading to an inconsistent internal representation of the commit or tag.
5. If commit signing or verification is performed, go-git operates on the reconstructed data.
6. The signing process uses the altered commit payload, resulting in a signature that doesn’t match the original object.
7. During verification, go-git might accept a signature for a commit whose metadata differs from the intended signed version.
8. The user trusts the commit based on the seemingly valid signature, potentially introducing malicious code or configuration.

Impact

The vulnerability in go-git could lead to the acceptance of malicious code into a project, even if it is signed. This can occur because go-git may incorrectly verify a commit signature due to parsing differences. The number of victims is potentially large, as go-git is a widely used library in the Go ecosystem. Targeted sectors include software development, DevOps, and any industry relying on Git for version control and software distribution. A successful attack could compromise software integrity, leading to supply chain attacks and data breaches.

Recommendation

• Upgrade to go-git/go-git/v5 version 5.19.0 or later to address CVE-2026-45022.
• If using go-git/go-git/v6, avoid versions between 6.0.0-alpha.1 and 6.0.0-alpha.2.
• Implement integrity checks on Git objects to detect inconsistencies between go-git’s representation and the actual object data.