CVE-2025-21613
Published: 06 January 2025
Summary
CVE-2025-21613 is a critical-severity Argument Injection (CWE-88) vulnerability in Go-Git Project Go-Git. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
go-git is a pure Go implementation of Git that provides library support for interacting with repositories. An argument injection vulnerability tracked as CVE-2025-21613 affects all versions prior to 5.13.0 and is assigned CWE-88. The flaw permits an attacker to supply arbitrary values for git-upload-pack flags, but only when the file transport protocol is in use because that code path invokes external Git binaries rather than handling operations entirely in-process.
An unauthenticated remote attacker can exploit the issue over the network by supplying a malicious repository URL that triggers the file transport. Successful exploitation can result in high impact to confidentiality, integrity, and availability because the attacker gains control over command-line flags passed to the Git binary.
The GitHub Security Advisory for GHSA-v725-9546-7q7m states that the vulnerability is resolved in go-git release 5.13.0 and recommends that users upgrade immediately. The associated EPSS score has remained flat at 0.0383 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0045
Vulnerability details
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags.…
more
This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated argument injection in a Git library directly enables exploitation of public-facing apps (T1190) and client-side execution via injected Git flags (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the argument injection flaw in go-git by updating to version 5.13.0 or later, directly eliminating the vulnerability.
Implements input validation mechanisms to sanitize arguments before they are passed to git-upload-pack, countering the injection vulnerability.
Provides vulnerability scanning to identify systems using vulnerable go-git versions prior to v5.13, enabling proactive patching.