CVE-2025-21614
Published: 06 January 2025
Summary
CVE-2025-21614 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Go-Git Project Go-Git. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws such as the resource exhaustion vulnerability in go-git by upgrading to v5.13.
Limits resource allocation to processes handling Git server responses, preventing exhaustion from specially crafted inputs.
Protects against denial-of-service events including resource exhaustion triggered by malicious Git server responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS via crafted server responses directly enables T1499.004 (Application or System Exploitation) to crash or degrade the go-git client endpoint.
NVD Description
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially…
more
crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Deeper analysisAI
CVE-2025-21614 is a denial-of-service (DoS) vulnerability in go-git, a highly extensible Git implementation library written in pure Go. The flaw affects go-git versions prior to v5.13, with users running versions from v4 and above particularly advised to upgrade. It stems from CWE-400 (Uncontrolled Resource Consumption), rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), where specially crafted responses from a Git server can trigger resource exhaustion in go-git clients.
An attacker controlling a malicious or compromised Git server can exploit this vulnerability remotely without authentication or user interaction. By sending crafted responses during client-server interactions, the attacker induces excessive resource consumption on the go-git client, leading to denial of service through crashes or unresponsiveness.
The go-git's GitHub security advisory (GHSA-r9px-m959-cxf4) recommends upgrading to version v5.13 or later to mitigate the issue, as this release addresses the resource exhaustion problem in client handling of server responses.
Details
- CWE(s)