CVE-2026-45022
Received Received - Intake
Malformed Git Object Parsing in go-git

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45022
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-git go-git to 6.0.0-alpha.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in go-git involves the way it parses malformed Git objects, such as commit or tag objects with ambiguous or malformed headers. Unlike the upstream Git implementation, go-git may interpret these objects differently, leading to discrepancies in the decoded representation.

Additionally, go-git's commit signing and verification process works on reconstructed commit data derived from its parsed representation rather than the original raw object bytes. This can cause a commit signature to appear valid even when the commit's displayed or effective metadata differs from the actual object stored in the repository.

This means that a signature might validate a commit that has been altered or interpreted differently than intended, potentially misleading users about the authenticity or integrity of the commit.


How can this vulnerability impact me? :

This vulnerability can impact users by allowing signatures to validate commits whose metadata or content differs from what was originally intended or stored. This discrepancy can undermine trust in the authenticity and integrity of commits.

As a result, users or systems relying on commit signatures for verification may be misled into accepting altered or malformed commits as legitimate, potentially leading to security risks such as unauthorized code changes or supply chain attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart