Description

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

INFO

Published Date :

2026-02-09T22:13:41.974Z

Last Modified :

2026-02-11T21:23:14.781Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25934 vulnerability.

Vendors Products
Go-git
  • Go-git
Go-git Project
  • Go-git
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25934.

URL Resource
https://github.com/go-git/go-git/releases/tag/v5.16.5 cve-icon cve-icon cve-icon
https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-25934 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-25934 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact