## Security Alert: go-git v5.17.1 Patches Critical Index Parsing Vulnerability (CVE-2026-33762)
A critical security flaw in the popular Go library `go-git` has been patched, addressing a vulnerability that could allow an attacker to crash applications by supplying a maliciously crafted Git index file. The issue, tracked as CVE-2026-33762, resides in the index decoder for format version 4, which fails to properly validate a path name prefix length before applying it. This oversight can trigger an out-of-bounds slice operation, causing a runtime panic during normal index parsing. The vulnerability is specific to Git index format version 4; earlier versions (v2 and v3) supported by the library are not affected.

The update from version `v5.16.5` to `v5.17.1` is classified as a security fix. The impact is direct: any application using a vulnerable version of `go-git` to parse a malicious `.git/index` file could experience a process-terminating panic if the application does not implement proper panic recovery mechanisms. This creates a clear denial-of-service vector for services that rely on this library for Git operations, such as CI/CD pipelines, code analysis tools, or version control systems built in Go.

This patch underscores the persistent risk in foundational development tools where a single parsing flaw can become a systemic weakness. Developers and organizations must prioritize applying this update to mitigate the risk of service disruption. The advisory serves as a critical reminder that even indirect dependencies in the software supply chain require vigilant monitoring for security updates to prevent operational instability.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, go, git, supply-chain
- **Credibility**: unverified
- **Published**: 2026-03-31 17:27:30
- **ID**: 43733
- **URL**: https://whisperx.ai/en/intel/43733