GHSA-389r-gv7p-r3rp: go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
Summary
go-git (a Git implementation in Go) may parse malformed Git objects differently than upstream Git, which could cause commits or tags with ambiguous headers to be interpreted inconsistently. This is especially problematic for commit signing and verification, since go-git signs or verifies commits based on its own parsed representation rather than the original raw bytes, potentially making invalid signatures appear valid when the commit's displayed content differs from what was actually signed.
Solution / Mitigation
Users should upgrade to a patched version. Versions prior to v5 are likely affected, and users are recommended to upgrade to a supported go-git version.
Vulnerability Details
EPSS: 0.0%
Yes
May 11, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-389r-gv7p-r3rp
First tracked: May 11, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 72%