## Go-Git v5.17.1 Patches Critical Index Decoder Vulnerability (CVE-2026-33762)
A critical security flaw in the widely used `go-git/v5` library has been patched, exposing countless Go-based applications and CI/CD pipelines to potential denial-of-service attacks. The vulnerability, tracked as CVE-2026-33762, resides in the library's index decoder for format version 4. The flaw allows a maliciously crafted Git index file to trigger an out-of-bounds slice operation, causing a runtime panic and crashing any process that attempts to parse the corrupted index during normal repository operations.

The issue specifically impacts the `github.com/go-git/go-git/v5` package. The security advisory from the project maintainers details that the decoder fails to validate the path name prefix length before applying it to a previously decoded path name. This lack of validation is the root cause enabling the panic. The patch, released in version v5.17.1, addresses this validation gap. The update represents a minor version bump from v5.17.0, indicating the fix is contained and backward-compatible for users performing the upgrade.

This vulnerability poses a direct risk to software supply chains and automated systems that rely on `go-git` for Git operations, such as dependency management tools, code analysis platforms, and deployment scripts. An attacker could potentially disrupt these systems by introducing a poisoned index file into a repository. While the immediate impact is a crash (panic), such disruptions in automated environments can lead to failed builds, stalled deployments, and broader operational instability. The prompt release of the patch underscores the severity with which the maintainers treat runtime stability threats in core library components.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, supply-chain, go, git, security-patch
- **Credibility**: unverified
- **Published**: 2026-04-03 07:27:06
- **ID**: 48622
- **URL**: https://whisperx.ai/en/intel/48622