CVE-2026-45570

NameCVE-2026-45570
Descriptiongo-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-go-git-go-git (PTS)bookworm5.4.2-3vulnerable
trixie5.14.0-1vulnerable
forky, sid5.19.1-1fixed
golang-github-go-git-go-git-v6 (PTS)forky6~git20260305.2083cf94-3vulnerable
sid6.0.0~alpha.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-go-git-go-gitsource(unstable)5.19.1-1
golang-github-go-git-go-git-v6source(unstable)6.0.0~alpha4-1

Notes

https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp
Search for package or bug name: Reporting problems