VIR Vulnerability Intelligence Relay

CVE-2023-49568

unknown
Published 2023-12-27 · Modified 2026-02-04
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2
VIR risk

Description

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-49568

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianforkyfixed5.11.0-1
debian debiansidfixed5.11.0-1
debian debiantrixiefixed5.11.0-1

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/go-git/go-git/v5<5.11.05.11.0
golang Gogopkg.in/src-d/go-git.v4>=4.7.1,<=4.13.1
golang Gogopkg.in/src-d/go-git.v4>=4.7.1
golang Gogithub.com/go-git/go-git/v5>=5.0.0,<5.11.05.11.0

References

Verify integrity in audit chain (admin only). AS-IS.