## Go-Git Security Flaw: HTTP Credentials Leak via Redirect in v5.17.1 and Prior A critical security vulnerability in the popular Go-Git library exposes HTTP authentication credentials to potential theft. The flaw, tracked as GHSA-3xc5-wrhm-f963, allows credentials to leak to unintended hosts during standard repository operations. This creates a direct pathway for attackers to capture sensitive access tokens and authorization headers, compromising repository security and potentially granting unauthorized access to a victim's codebase and other resources. The vulnerability resides in the library's handling of HTTP redirects during smart-HTTP clone and fetch operations. When a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint but incorrectly reuses the original authentication credentials for all subsequent requests to the new location. This design flaw means that if an attacker can control or influence the redirect target—for instance, by compromising a repository or its infrastructure—they can intercept the Authorization headers. The captured credentials could then be reused to impersonate the victim, accessing not only the intended repository but potentially other systems where the same credentials are valid. The issue affects versions prior to v5.18.0. The maintainers have released version 5.18.0 to address this security hole. This incident underscores the persistent risks in software supply chains, where a core library used by countless Go applications for Git operations can become a single point of failure. Developers and organizations relying on go-git must urgently update their dependencies to the patched version to mitigate the risk of credential exposure and subsequent account or repository takeover. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: security-vulnerability, supply-chain, go, git, credential-leak - **Credibility**: unverified - **Published**: 2026-04-18 03:22:38 - **ID**: 70307 - **URL**: https://whisperx.ai/en/intel/70307