Go-Git is a highly extensible git implementation library written in pure Go. It is designed to provide a simple and efficient way for users to interact with Git repositories and perform a variety of operations, such as cloning, fetching, and pulling. The library is used by many popular open-source projects, including GitLab and Kubernetes.

Recently, an argument injection vulnerability (CVE-2025-21613) was discovered in Go-Git versions prior to v5.13. This vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags when the file transport protocol is being used, as this is the only protocol that shells out to git binaries. Fortunately, this vulnerability has been fixed in Go-Git version 5.13..

In this post, we will discuss the details of this vulnerability, its potential impact, and how it can be mitigated.

Vulnerability Details

CVE-2025-21613 is an argument injection vulnerability that affects Go-Git versions prior to v5.13. The vulnerability is due to improper handling of user-supplied input, specifically the repository URLs that are passed as parameters to the git-upload-pack command. By manipulating the repository URL, an attacker can set arbitrary values to git-upload-pack flags, which can lead to unintended consequences, such as unauthorized access to sensitive information or the execution of arbitrary commands.

Exploitation

To exploit this vulnerability, an attacker needs to control the repository URL input that is passed to the git-upload-pack command in the Go-Git library. The library's file_transport.go file contains code that looks like the following:

cmd := exec.Command("git", "upload-pack", "--stateless-rpc", req.URL.Path)

An attacker can manipulate the req.URL.Path parameter to set arbitrary git-upload-pack flags, as no validation is done on its content. For instance, by injecting the -uploadpack flag, the attacker can cause the git-upload-pack command to download arbitrary files from the target server or execute arbitrary commands on the remote system. The following are some examples of malicious URLs:

git://example.com/repo.git?cmd=;+ls%20-l

Original Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21613

Mitigation

To mitigate this vulnerability, users of Go-Git must upgrade their library to version 5.13. or later. In version 5.13., the library includes proper input validation to prevent argument injection attacks.

To update Go-Git in your project, you can use the following command

go get -u gopkg.in/src-d/go-git.v5@v5.13.

Additionally, developers should ensure that they follow secure coding practices, such as input validation and parameterized commands, to prevent future argument injection vulnerabilities.

Conclusion

CVE-2025-21613 is a critical argument injection vulnerability affecting Go-Git versions prior to 5.13.. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags, leading to unauthorized access to sensitive information or the execution of arbitrary commands on the remote system. To mitigate this vulnerability, users are urged to upgrade their Go-Git library to version 5.13. or later and follow secure coding practices.

Timeline

Published on: 01/06/2025 17:15:47 UTC