Cyber Resilience

CVE-2025-21613

Critical

Published: 06 January 2025

Published
06 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
EPSS Score 0.0383 88.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21613 is a critical-severity Argument Injection (CWE-88) vulnerability in Go-Git Project Go-Git. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

go-git is a pure Go implementation of Git that provides library support for interacting with repositories. An argument injection vulnerability tracked as CVE-2025-21613 affects all versions prior to 5.13.0 and is assigned CWE-88. The flaw permits an attacker to supply arbitrary values for git-upload-pack flags, but only when the file transport protocol is in use because that code path invokes external Git binaries rather than handling operations entirely in-process.

An unauthenticated remote attacker can exploit the issue over the network by supplying a malicious repository URL that triggers the file transport. Successful exploitation can result in high impact to confidentiality, integrity, and availability because the attacker gains control over command-line flags passed to the Git binary.

The GitHub Security Advisory for GHSA-v725-9546-7q7m states that the vulnerability is resolved in go-git release 5.13.0 and recommends that users upgrade immediately. The associated EPSS score has remained flat at 0.0383 with no material increase since disclosure.

EU & UK References

Vulnerability details

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags.…

more

This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Remote unauthenticated argument injection in a Git library directly enables exploitation of public-facing apps (T1190) and client-side execution via injected Git flags (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21614Same product: Go-Git Project Go-Git
CVE-2026-44193Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2026-31230Shared CWE-88
CVE-2026-45158Shared CWE-88
CVE-2026-42284Shared CWE-88
CVE-2026-22583Shared CWE-88

Affected Assets

go-git project
go-git
≤ 5.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the argument injection flaw in go-git by updating to version 5.13.0 or later, directly eliminating the vulnerability.

prevent

Implements input validation mechanisms to sanitize arguments before they are passed to git-upload-pack, countering the injection vulnerability.

detect

Provides vulnerability scanning to identify systems using vulnerable go-git versions prior to v5.13, enabling proactive patching.

References