Compliance Impact

The vulnerability in go-git involves improper escaping of single quotes in SSH transport commands, which could allow additional shell tokens to be executed on SSH servers that evaluate the exec command through a shell. However, this vulnerability has a low severity score (2.3 CVSS v4) and does not directly impact confidentiality, integrity, or availability of the vulnerable system.

Because there is no direct impact on confidentiality or integrity, the vulnerability itself does not explicitly indicate a direct violation or non-compliance with common standards and regulations such as GDPR or HIPAA. Nevertheless, any potential for unauthorized command execution could pose a risk if exploited in a broader attack context, which organizations should consider when assessing their compliance posture.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45570 is a vulnerability in the go-git library's SSH transport mechanism. The issue occurs because go-git constructs remote exec commands by wrapping repository paths in single quotes but does not properly escape single quotes embedded inside those paths.

If a repository path contains a single quote, it can break out of the quoted region in the exec command, allowing additional shell tokens to be appended. This can lead to unintended command execution on SSH servers that evaluate the exec command through a shell.

The vulnerability is fixed in go-git versions 5.19.1 and 6.0.0-alpha.4 by adopting proper shell-quoting techniques similar to canonical Git.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute additional shell commands on the SSH server if the server evaluates the exec command through a shell (such as /bin/sh or /bin/bash).

However, the impact is considered low severity (CVSS score 2.3) and does not directly affect the confidentiality, integrity, or availability of the vulnerable system.

The risk mainly arises on the SSH server side and depends on the server's command evaluation method. Servers that do not evaluate commands through a shell, like those using git-shell, are not affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper escaping of single quotes in repository paths used in SSH exec commands by go-git. Detection would involve monitoring SSH exec commands for suspicious or malformed command strings where repository paths contain unescaped single quotes that break out of quoted regions.

Since the vulnerability manifests on the SSH server side when processing exec commands, you can inspect SSH server logs or capture SSH traffic to identify commands containing repository paths with single quotes that are not properly escaped.

There are no specific commands provided in the resources to detect this vulnerability, but general approaches include:

• Use SSH server logging to capture exec commands and search for repository paths containing single quotes.
• Use packet capture tools (e.g., tcpdump, Wireshark) to analyze SSH traffic for suspicious exec command payloads.
• On the server, check for unusual shell command executions triggered by SSH sessions that could indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade go-git to a patched version where this vulnerability is fixed.

• Upgrade go-git to version 5.19.1 or later, or to 6.0.0-alpha.4 or later.

Additionally, if possible, configure SSH servers to avoid shell evaluation of exec commands by using restricted shells such as git-shell, which are not affected by this vulnerability.

Useful 0 Not Useful 0