CVE-2026-45570
SSH Command Injection in go-git Library
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-git | go-git | to 6.0.0-alpha.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45570 is a vulnerability in the go-git library's SSH transport mechanism. The issue occurs because go-git constructs remote exec commands by wrapping repository paths in single quotes but does not properly escape single quotes embedded inside those paths.
If a repository path contains a single quote, it can break out of the quoted region in the exec command, allowing additional shell tokens to be appended. This can lead to unintended command execution on SSH servers that evaluate the exec command through a shell.
The vulnerability is fixed in go-git versions 5.19.1 and 6.0.0-alpha.4 by adopting proper shell-quoting techniques similar to canonical Git.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute additional shell commands on the SSH server if the server evaluates the exec command through a shell (such as /bin/sh or /bin/bash).
However, the impact is considered low severity (CVSS score 2.3) and does not directly affect the confidentiality, integrity, or availability of the vulnerable system.
The risk mainly arises on the SSH server side and depends on the server's command evaluation method. Servers that do not evaluate commands through a shell, like those using git-shell, are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper escaping of single quotes in repository paths used in SSH exec commands by go-git. Detection would involve monitoring SSH exec commands for suspicious or malformed command strings where repository paths contain unescaped single quotes that break out of quoted regions.
Since the vulnerability manifests on the SSH server side when processing exec commands, you can inspect SSH server logs or capture SSH traffic to identify commands containing repository paths with single quotes that are not properly escaped.
There are no specific commands provided in the resources to detect this vulnerability, but general approaches include:
- Use SSH server logging to capture exec commands and search for repository paths containing single quotes.
- Use packet capture tools (e.g., tcpdump, Wireshark) to analyze SSH traffic for suspicious exec command payloads.
- On the server, check for unusual shell command executions triggered by SSH sessions that could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade go-git to a patched version where this vulnerability is fixed.
- Upgrade go-git to version 5.19.1 or later, or to 6.0.0-alpha.4 or later.
Additionally, if possible, configure SSH servers to avoid shell evaluation of exec commands by using restricted shells such as git-shell, which are not affected by this vulnerability.