VIR Vulnerability Intelligence Relay

CVE-2023-49568

unknown
Published 2023-12-27 · Modified 2026-02-04
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4 NEW
not yet in upstream
VIR risk

Description

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
debian Debian Mixed 4 releases
VersionStatusFixed in
trixie Fixed 5.11.0-1
sid Fixed 5.11.0-1
forky Fixed 5.11.0-1
bookworm Affected

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/go-git/go-git/v5<5.11.05.11.0
golang Gogopkg.in/src-d/go-git.v4>=4.7.1,<=4.13.1
golang Gogopkg.in/src-d/go-git.v4>=4.7.1
golang Gogithub.com/go-git/go-git/v5>=5.0.0,<5.11.05.11.0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.