Cyber Resilience

CVE-2025-21614

HighDDoS

Published: 06 January 2025

Published
06 January 2025
Modified
30 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0022 45.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21614 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Go-Git Project Go-Git. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-21614 is a denial-of-service (DoS) vulnerability in go-git, a highly extensible Git implementation library written in pure Go. The flaw affects go-git versions prior to v5.13, with users running versions from v4 and above particularly advised to upgrade. It stems from CWE-400 (Uncontrolled Resource Consumption), rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), where specially crafted responses from a Git server can trigger resource exhaustion in go-git clients.

An attacker controlling a malicious or compromised Git server can exploit this vulnerability remotely without authentication or user interaction. By sending crafted responses during client-server interactions, the attacker induces excessive resource consumption on the go-git client, leading to denial of service through crashes or unresponsiveness.

The go-git's GitHub security advisory (GHSA-r9px-m959-cxf4) recommends upgrading to version v5.13 or later to mitigate the issue, as this release addresses the resource exhaustion problem in client handling of server responses.

EU & UK References

Vulnerability details

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially…

more

crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

DoS via crafted server responses directly enables T1499.004 (Application or System Exploitation) to crash or degrade the go-git client endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21613Same product: Go-Git Project Go-Git
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400

Affected Assets

go-git project
go-git
≤ 5.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws such as the resource exhaustion vulnerability in go-git by upgrading to v5.13.

prevent

Limits resource allocation to processes handling Git server responses, preventing exhaustion from specially crafted inputs.

prevent

Protects against denial-of-service events including resource exhaustion triggered by malicious Git server responses.

References