Go-Git v5.17.1 Patches Critical Index Decoder Vulnerability (CVE-2026-33762)

A critical security flaw in the widely-used Go-Git library has been patched, exposing countless projects to potential denial-of-service attacks via maliciously crafted Git index files. The vulnerability, tracked as CVE-2026-33762, resides in the library's index decoder for format version 4. The decoder fails to perform a crucial validation step, allowing a malicious index file to trigger an out-of-bounds slice operation. This flaw results in a runtime panic during normal index parsing, effectively crashing any application that uses the vulnerable version to read a poisoned repository.

The issue specifically affects `github.com/go-git/go-git/v5` versions prior to v5.17.1. The patch, released as v5.17.1, addresses the missing validation of the path name prefix length before it is applied to a previously decoded path name. This is a classic case of insufficient input sanitization in a core parsing function, a failure point that can be weaponized to disrupt services. The update is being pushed via automated dependency managers like RenovateBot, signaling its high priority within the software supply chain.

The impact is confined to denial-of-service, but its presence in a fundamental library for Git operations in Go means the blast radius is significant. Any service that clones, fetches, or analyzes Git repositories using the affected go-git version is at risk if it processes a malicious index. While no evidence of exploitation in the wild is mentioned, the public disclosure and urgent patch release pressure development teams to immediately update their dependencies to close this vector before it can be leveraged in targeted attacks.