Go-Git v5.17.1 Patches Critical Index Decoder Vulnerability (CVE-2026-33762)

A critical security flaw in the widely used `go-git` library has been patched in version 5.17.1. The vulnerability, tracked as CVE-2026-33762, resides in the index decoder for format version 4. The decoder fails to perform a crucial validation step, allowing a maliciously crafted Git index file to trigger an out-of-bounds slice operation. This flaw results in a runtime panic during standard index parsing, potentially crashing any application that uses the library to process a compromised repository index.

The vulnerability specifically impacts the `github.com/go-git/go-git/v5` package. The patch, moving from version 5.17.0 to 5.17.1, addresses the missing validation of the path name prefix length before it is applied to a previously decoded path name. This oversight creates a direct vector for denial-of-service attacks against services and tools that rely on `go-git` for repository operations. The security advisory (GHSA-gm2x-2g9h-ccm8) was published by the project maintainers, highlighting the risk associated with parsing untrusted index files.

The update is classified as a security fix, mandating immediate attention from development and security teams. Given `go-git`'s role as a core Git implementation in the Go ecosystem, this vulnerability has a broad potential impact across CI/CD pipelines, code analysis tools, and backend services that programmatically interact with Git repositories. The silent nature of the trigger—parsing a normal-looking index—increases the risk of exploitation. Organizations must prioritize this dependency update to mitigate the risk of service instability and targeted crashes.