go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Go-git Subscribe
Go-git Subscribe
Go-git Project Subscribe
Go-git Subscribe

Configuration 1 [-]

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Go-git Subscribe
Go-git Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gm2x-2g9h-ccm8 go-git missing validation decoding Index v4 files leads to panic
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/go-git/go-git/releases/tag/v5.17.1 cve-icon cve-icon cve-icon
https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33762 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33762 cve-icon
History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-git Project
Go-git Project go-git
CPEs cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
Vendors & Products Go-git Project
Go-git Project go-git

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-git
Vendors & Products Go-git
Go-git go-git

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Title go-git: Missing validation decoding Index v4 files leads to panic
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 2.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:08.221Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33762

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:27.235Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:15.597

Modified: 2026-04-02T16:49:29.700

Link: CVE-2026-33762

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-31T13:47:42Z

Links: CVE-2026-33762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:30Z

Weaknesses