{"id":"GHSA-389r-gv7p-r3rp","summary":"go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git","details":"### Impact\n`go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.\n\nAdditionally, `go-git`’s commit signing and verification logic operates over commit data reconstructed from `go-git`’s parsed representation rather than the original raw object bytes. As a result, `go-git` may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.\n\nThis can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.\n\n### Patches\nUsers should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version.\n\n### Credit\n\nThanks to @bugbunny-research (https://bugbunny.ai/) for reporting this to `sigstore/gitsign`, and to @wlynch, @patzielinski and @adityasaky for coordinating the disclosure with the `go-git` project. :bow: :1st_place_medal: \n\nThanks to @wayphinder for reporting this to the `go-git` project. :bow:","aliases":["CVE-2026-45022"],"modified":"2026-05-12T04:44:33.110411208Z","published":"2026-05-11T14:48:12Z","related":["CGA-8x53-pqv6-wqhw"],"database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-180","CWE-345"],"github_reviewed_at":"2026-05-11T14:48:12Z","severity":"HIGH","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp"},{"type":"PACKAGE","url":"https://github.com/go-git/go-git"}],"affected":[{"package":{"name":"github.com/go-git/go-git/v6","ecosystem":"Go","purl":"pkg:golang/github.com/go-git/go-git/v6"},"ranges":[{"type":"SEMVER","events":[{"introduced":"6.0.0-alpha.1"},{"fixed":"6.0.0-alpha.3"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 6.0.0-alpha.2","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-389r-gv7p-r3rp/GHSA-389r-gv7p-r3rp.json"}},{"package":{"name":"github.com/go-git/go-git/v5","ecosystem":"Go","purl":"pkg:golang/github.com/go-git/go-git/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.19.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-389r-gv7p-r3rp/GHSA-389r-gv7p-r3rp.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"}]}