CVE-2025-21613CRITICAL 9.8EPSS p65.3%

CVE-2025-21613CVE-2025-21613

Description

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.24% probability of exploitation · percentile 65.3% · 2026-06-18T12:00:27Z
Published2025-01-06
Last modified2025-04-17

Underlying weaknesses· 1

CWE-88

References

  1. https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45570
CVE
CVE-2026-45022
CVE
CVE-2026-45571
CVE
CVE-2025-4674
CVE
CVE-2026-42215
CVE
CVE-2025-64111
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.