{"data":{"id":"6ef1caac-1fca-4f49-b25c-4b60d61da388","title":"GHSA-389r-gv7p-r3rp: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git","summary":"go-git (a Git implementation in Go) may parse malformed Git objects differently than upstream Git, which could cause commits or tags with ambiguous headers to be interpreted inconsistently. This is especially problematic for commit signing and verification, since go-git signs or verifies commits based on its own parsed representation rather than the original raw bytes, potentially making invalid signatures appear valid when the commit's displayed content differs from what was actually signed.","solution":"Users should upgrade to a patched version. Versions prior to v5 are likely affected, and users are recommended to upgrade to a supported go-git version.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-389r-gv7p-r3rp","publishedAt":"2026-05-11T14:48:12.000Z","cveId":"CVE-2026-45022","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/go-git/go-git/v5@< 5.19.0 (fixed: 5.19.0)","github.com/go-git/go-git/v6@>= 6.0.0-alpha.1, <= 6.0.0-alpha.2 (fixed: 6.0.0-alpha.3)"],"affectedVendors":[],"affectedVendorsRaw":["go-git"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-11T14:48:12.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}