CVE-2025-21613
Argument Injection vulnerability in go-git.v4 (Go)
What is CVE-2025-21613 About?
This vulnerability allows for Argument Injection via the URL field in `github.com/go-git/go-git`. It can lead to arbitrary command execution or unexpected behavior due to manipulated arguments provided to underlying commands. Exploiting this flaw is likely straightforward if an attacker can control the URL input.
Affected Software
- gopkg.in/src-d/go-git.v4
- >=4.0.0, <=4.13.1
- >=4.0.0
- github.com/go-git/go-git/v5
- <5.13.0
- github.com/go-git/go-git/v4
- >=4.0.0
Technical Details
The vulnerability stems from improper handling or sanitization of input provided within the URL field in the github.com/go-git/go-git library. When this URL is processed, attacker-controlled characters or sequences within it are not adequately escaped or validated, allowing them to be interpreted as additional arguments or options to a shell command or an underlying system call. This 'argument injection' can alter the intended execution flow or permit the execution of arbitrary commands, directly impacting the integrity and potentially the confidentiality and availability of the system.
What is the Impact of CVE-2025-21613?
Successful exploitation may allow attackers to execute arbitrary commands, alter application behavior, or potentially compromise the system.
What is the Exploitability of CVE-2025-21613?
Exploitation requires an attacker to provide a malicious URL as input to the github.com/go-git/go-git library. The complexity is low, as the primary prerequisite is the ability to control the URL field. No authentication for the injection itself is required if the vulnerable function is exposed to unauthenticated input. The attack is likely remote, as URLs are typically provided over a network. The likelihood of exploitation is increased if the application widely accepts user-provided URLs without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-21613?
Available Upgrade Options
- github.com/go-git/go-git/v5
- <5.13.0 → Upgrade to 5.13.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/go-git/go-git
- https://osv.dev/vulnerability/GHSA-v725-9546-7q7m
- https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
- https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
- https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
- https://nvd.nist.gov/vuln/detail/CVE-2025-21613
What are Similar Vulnerabilities to CVE-2025-21613?
Similar Vulnerabilities: CVE-2022-24368 , CVE-2021-38185 , CVE-2020-13768 , CVE-2018-1000517 , CVE-2017-1000117
