Home > Vulnerability Database > CVE-2025-21613

Mend.io Vulnerability Database

CVE-2025-21613

Good to know:

Date: January 6, 2025

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Severity Score

9.8

Related Resources (5)

Url: https://github.com/go-git/go-git

Url: https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

Url: https://security-tracker.debian.org/tracker/CVE-2025-21613

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-21613

Url: https://www.mend.io/vulnerability-database/CVE-2025-21613

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-88

Top Fix

Upgrade Version

Upgrade to version github.com/go-git/go-git/v5 - v5.13.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-21613

Good to know:

Date: January 6, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?