CVE-2025-21614 - Vulnerability Details

- go-git clients vulnerable to DoS via maliciously crafted Git server replies

Description

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Published: 2025-01-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

go-git

affected

Version	Status	Constraints
`>= 4.0.0, < 5.13.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-main-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
Red Hat Enterprise Linux 8
grafana-0:9.2.10-21.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0401	2025-01-20T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
grafana-0:9.2.10-21.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0662	2025-01-23T00:00:00Z
Red Hat OpenShift Container Platform 4.16
openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
Red Hat OpenShift Container Platform 4.17
openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:0654	2025-01-28T00:00:00Z
openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
Red Hat OpenShift Container Platform 4.18
openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
Red Hat OpenShift GitOps 1.14
openshift-gitops-argocd-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argocd-rhel9-container-v1.14.3-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argo-rollouts-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-console-plugin-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-dex-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-kam-delivery-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-must-gather-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-bundle-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
Red Hat OpenShift GitOps 1.15
openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.15.1-1	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 16.2
rhosp-rhel8/osp-director-agent:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-downloader:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator:1.3.0-15	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator-bundle:1.3.0-33	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 17.1 for RHEL 9
rhosp-rhel9/osp-director-agent:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-downloader:1.3.1-18	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator-bundle:1.3.1-41	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0444	2025-01-20T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0445	2025-01-20T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-0043	go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Github GHSA	GHSA-r9px-m959-cxf4	go-git clients vulnerable to DoS via maliciously crafted Git server replies

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00222.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4
https://nvd.nist.gov/vuln/detail/CVE-2025-21614
https://pkg.go.dev/vuln/GO-2025-3367
https://www.cve.org/CVERecord?id=CVE-2025-21614

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00107}`	epss `{'score': 0.00087}`

Tue, 10 Jun 2025 07:00:00 +0000

Type	Values Removed	Values Added
References		https://pkg.go.dev/vuln/GO-2025-3367

Thu, 17 Apr 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go-git Project Go-git Project go-git
CPEs		cpe:2.3:a:go-git_project:go-git::::::go::*
Vendors & Products		Go-git Project Go-git Project go-git

Thu, 20 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_gitops:1.14::el8

Thu, 27 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.16::el9

Thu, 27 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Gitops Redhat openstack
CPEs		cpe:/a:redhat:openshift_gitops:1.15::el8 cpe:/a:redhat:openstack:16.2::el8 cpe:/a:redhat:openstack:17.1::el9
Vendors & Products		Redhat openshift Gitops Redhat openstack

Tue, 25 Feb 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.18::el9

Fri, 14 Feb 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.4::el8

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat rhel Eus Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8 cpe:/a:redhat:advanced_cluster_security:4.6::el8 cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:openshift:4.17::el9 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat rhel Eus Redhat trusted Profile Analyzer

Thu, 09 Jan 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-21614 https://www.cve.org/CVERecord?id=CVE-2025-21614
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Jan 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Title		go-git clients vulnerable to DoS via maliciously crafted Git server replies
Weaknesses		CWE-400
References		https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Go-git Project Go-git

Redhat Advanced Cluster Security Enterprise Linux Openshift Openshift Gitops Openstack Rhel Eus Trusted Profile Analyzer

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-06T16:20:16.140Z

Updated: 2025-08-26T19:48:04.692Z

Reserved: 2024-12-29T03:00:24.713Z

Link: CVE-2025-21614

Vulnrichment

Updated: 2025-01-06T16:36:27.947Z

NVD

Status : Analyzed

Published: 2025-01-06T17:15:47.310

Modified: 2025-09-30T15:24:48.423

Link: CVE-2025-21614

Redhat

Severity : Important

Publid Date: 2025-01-06T16:20:16Z

Links: CVE-2025-21614 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object