{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/go-git/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2026-45571"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go-git"],"_cs_severities":["high"],"_cs_tags":["cve","go-git","git","directory modification","code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-45571 is a critical vulnerability affecting the go-git library, a popular Go implementation of Git. This flaw allows a malicious actor to craft a Git repository that, when processed by a vulnerable application using go-git, can modify the \u003ccode\u003e.git\u003c/code\u003e directories of both the main repository and its submodules. This modification could be leveraged to overwrite configuration files, inject malicious Git hooks, or otherwise compromise the integrity of the repository and the system on which it resides. Successful exploitation could lead to arbitrary code execution or sensitive information disclosure. Defenders should prioritize identifying and mitigating applications utilizing vulnerable versions of go-git.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing specially crafted files or symbolic links designed to manipulate \u003ccode\u003e.git\u003c/code\u003e directories.\u003c/li\u003e\n\u003cli\u003eA user or automated system clones or interacts with the malicious repository using a vulnerable version of go-git.\u003c/li\u003e\n\u003cli\u003eThe vulnerable go-git library processes the malicious repository content without proper validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe crafted content overwrites or modifies configuration files within the main repository\u0026rsquo;s \u003ccode\u003e.git\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe crafted content also propagates to any submodules present, modifying their respective \u003ccode\u003e.git\u003c/code\u003e directories.\u003c/li\u003e\n\u003cli\u003eThe modification of \u003ccode\u003e.git\u003c/code\u003e directories allows the attacker to inject malicious Git hooks (e.g., pre-commit, post-receive).\u003c/li\u003e\n\u003cli\u003eWhen a user performs Git operations (e.g., commit, push, pull), the injected malicious hooks are executed.\u003c/li\u003e\n\u003cli\u003eThe malicious hooks execute arbitrary code, potentially leading to complete system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45571 can have severe consequences. An attacker could gain arbitrary code execution on systems using vulnerable versions of go-git. This could lead to data breaches, system compromise, and denial-of-service attacks. The vulnerability poses a significant risk to organizations that rely on go-git for managing source code, configuration files, or other sensitive data within Git repositories. The lack of specific victim count data makes assessing the total impact difficult, but the wide usage of go-git implies a potentially broad attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade go-git to a patched version that addresses CVE-2026-45571.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Go-Git .git Directory Modification\u0026rdquo; to detect potential exploitation attempts in real-time.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Git repositories for suspicious files or symbolic links that could be used to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor file system events within \u003ccode\u003e.git\u003c/code\u003e directories using the Sigma rule \u0026ldquo;Detect Git Hook Creation in .git Directory\u0026rdquo; to identify unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T07:25:12Z","date_published":"2026-05-28T07:25:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-go-git-dir-mod/","summary":"CVE-2026-45571 is a vulnerability in go-git that allows crafted repositories to modify main and submodule .git directories, potentially leading to arbitrary code execution or information disclosure.","title":"CVE-2026-45571 go-git Crafted Repositories Modify .git Directories","url":"https://feed.craftedsignal.io/briefs/2026-05-go-git-dir-mod/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go-git/go-git/v6","go-git/go-git/v5"],"_cs_severities":["high"],"_cs_tags":["vulnerability","git","go","supply chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThe \u003ccode\u003ego-git\u003c/code\u003e library, a Git implementation written in Go, is vulnerable to improper parsing of specially crafted Git objects. Specifically, when \u003ccode\u003ecommit\u003c/code\u003e or \u003ccode\u003etag\u003c/code\u003e objects contain ambiguous or malformed headers, \u003ccode\u003ego-git\u003c/code\u003e may expose values differently from how Git itself would interpret or reject the same object. The vulnerability also affects commit signing and verification logic, potentially leading to the acceptance of signatures for commits whose displayed metadata differs from the original signed object. This issue impacts \u003ccode\u003ego-git/go-git/v6\u003c/code\u003e versions from 6.0.0-alpha.1 to 6.0.0-alpha.2 and \u003ccode\u003ego-git/go-git/v5\u003c/code\u003e versions prior to 5.19.0. This vulnerability matters because it can lead to security bypasses where a user trusts a commit that has been altered, leading to supply chain attacks or other forms of code compromise. The CVE associated with this vulnerability is CVE-2026-45022.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing a \u003ccode\u003ecommit\u003c/code\u003e or \u003ccode\u003etag\u003c/code\u003e object with malformed headers.\u003c/li\u003e\n\u003cli\u003eThe malformed object is designed to exploit the parsing differences between \u003ccode\u003ego-git\u003c/code\u003e and upstream Git.\u003c/li\u003e\n\u003cli\u003eA user or system clones or fetches the malicious repository using a vulnerable version of \u003ccode\u003ego-git\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ego-git\u003c/code\u003e parses the malformed object, leading to an inconsistent internal representation of the commit or tag.\u003c/li\u003e\n\u003cli\u003eIf commit signing or verification is performed, \u003ccode\u003ego-git\u003c/code\u003e operates on the reconstructed data.\u003c/li\u003e\n\u003cli\u003eThe signing process uses the altered commit payload, resulting in a signature that doesn\u0026rsquo;t match the original object.\u003c/li\u003e\n\u003cli\u003eDuring verification, \u003ccode\u003ego-git\u003c/code\u003e might accept a signature for a commit whose metadata differs from the intended signed version.\u003c/li\u003e\n\u003cli\u003eThe user trusts the commit based on the seemingly valid signature, potentially introducing malicious code or configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in \u003ccode\u003ego-git\u003c/code\u003e could lead to the acceptance of malicious code into a project, even if it is signed. This can occur because \u003ccode\u003ego-git\u003c/code\u003e may incorrectly verify a commit signature due to parsing differences. The number of victims is potentially large, as \u003ccode\u003ego-git\u003c/code\u003e is a widely used library in the Go ecosystem. Targeted sectors include software development, DevOps, and any industry relying on Git for version control and software distribution. A successful attack could compromise software integrity, leading to supply chain attacks and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ego-git/go-git/v5\u003c/code\u003e version 5.19.0 or later to address CVE-2026-45022.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003ego-git/go-git/v6\u003c/code\u003e, avoid versions between 6.0.0-alpha.1 and 6.0.0-alpha.2.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks on Git objects to detect inconsistencies between \u003ccode\u003ego-git\u003c/code\u003e\u0026rsquo;s representation and the actual object data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:48:49Z","date_published":"2026-05-11T14:48:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-go-git-parsing-vulnerability/","summary":"go-git may parse malformed Git objects differently than upstream Git, leading to inconsistent interpretation and potentially allowing the signing or verification of commits with altered metadata, as described in CVE-2026-45022.","title":"go-git Improper Parsing of Malformed Git Objects","url":"https://feed.craftedsignal.io/briefs/2026-05-go-git-parsing-vulnerability/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go-git/go-git/v6","go-git/go-git/v5"],"_cs_severities":["high"],"_cs_tags":["vulnerability","git","go","supply chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThe \u003ccode\u003ego-git\u003c/code\u003e library, a Git implementation written in Go, is vulnerable to improper parsing of specially crafted Git objects. Specifically, when \u003ccode\u003ecommit\u003c/code\u003e or \u003ccode\u003etag\u003c/code\u003e objects contain ambiguous or malformed headers, \u003ccode\u003ego-git\u003c/code\u003e may expose values differently from how Git itself would interpret or reject the same object. The vulnerability also affects commit signing and verification logic, potentially leading to the acceptance of signatures for commits whose displayed metadata differs from the original signed object. This issue impacts \u003ccode\u003ego-git/go-git/v6\u003c/code\u003e versions from 6.0.0-alpha.1 to 6.0.0-alpha.2 and \u003ccode\u003ego-git/go-git/v5\u003c/code\u003e versions prior to 5.19.0. This vulnerability matters because it can lead to security bypasses where a user trusts a commit that has been altered, leading to supply chain attacks or other forms of code compromise. The CVE associated with this vulnerability is CVE-2026-45022.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing a \u003ccode\u003ecommit\u003c/code\u003e or \u003ccode\u003etag\u003c/code\u003e object with malformed headers.\u003c/li\u003e\n\u003cli\u003eThe malformed object is designed to exploit the parsing differences between \u003ccode\u003ego-git\u003c/code\u003e and upstream Git.\u003c/li\u003e\n\u003cli\u003eA user or system clones or fetches the malicious repository using a vulnerable version of \u003ccode\u003ego-git\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ego-git\u003c/code\u003e parses the malformed object, leading to an inconsistent internal representation of the commit or tag.\u003c/li\u003e\n\u003cli\u003eIf commit signing or verification is performed, \u003ccode\u003ego-git\u003c/code\u003e operates on the reconstructed data.\u003c/li\u003e\n\u003cli\u003eThe signing process uses the altered commit payload, resulting in a signature that doesn\u0026rsquo;t match the original object.\u003c/li\u003e\n\u003cli\u003eDuring verification, \u003ccode\u003ego-git\u003c/code\u003e might accept a signature for a commit whose metadata differs from the intended signed version.\u003c/li\u003e\n\u003cli\u003eThe user trusts the commit based on the seemingly valid signature, potentially introducing malicious code or configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in \u003ccode\u003ego-git\u003c/code\u003e could lead to the acceptance of malicious code into a project, even if it is signed. This can occur because \u003ccode\u003ego-git\u003c/code\u003e may incorrectly verify a commit signature due to parsing differences. The number of victims is potentially large, as \u003ccode\u003ego-git\u003c/code\u003e is a widely used library in the Go ecosystem. Targeted sectors include software development, DevOps, and any industry relying on Git for version control and software distribution. A successful attack could compromise software integrity, leading to supply chain attacks and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ego-git/go-git/v5\u003c/code\u003e version 5.19.0 or later to address CVE-2026-45022.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003ego-git/go-git/v6\u003c/code\u003e, avoid versions between 6.0.0-alpha.1 and 6.0.0-alpha.2.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks on Git objects to detect inconsistencies between \u003ccode\u003ego-git\u003c/code\u003e\u0026rsquo;s representation and the actual object data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:48:49Z","date_published":"2026-05-11T14:48:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-go-git-parsing-vulnerability/","summary":"go-git may parse malformed Git objects differently than upstream Git, leading to inconsistent interpretation and potentially allowing the signing or verification of commits with altered metadata, as described in CVE-2026-45022.","title":"go-git Improper Parsing of Malformed Git Objects","url":"https://feed.craftedsignal.io/briefs/2026-05-go-git-parsing-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed — Go-Git","version":"https://jsonfeed.org/version/1.1"}