## Go-Git Security Flaw Exposes HTTP Credentials in Redirects, Prompts Urgent Dependency Updates
A critical vulnerability in the widely used `go-git` library risks leaking HTTP authentication credentials during standard Git operations. The flaw, tracked as GHSA-3xc5-wrhm-f963, is triggered when a remote repository responds to a clone or fetch request with a redirect to a different host. In this scenario, the library's session endpoint updates to follow the redirect, but fails to strip the original authentication headers, potentially sending sensitive credentials to an unintended third-party server.

The vulnerability specifically affects smart-HTTP clone and fetch operations, core functions for interacting with Git repositories over HTTP/S. The issue resides in how the `go-git/v5` library handles HTTP session state during redirects. Multiple projects have already issued pull requests to update their dependencies, moving from vulnerable versions like `v5.17.1` and `v5.17.2` to the patched `v5.18.0`. These updates are marked as security-related and often bundled with other dependency maintenance, such as updates to the `pgx` PostgreSQL driver.

The exposure presents a direct supply chain risk for any application or service that uses the affected `go-git` versions as a library for Git automation. Developers and security teams are under pressure to audit their dependency trees and apply the minor version update immediately. The silent nature of the credential leak—occurring during a routine, trusted operation—heightens the risk, as it could be exploited by a compromised or malicious repository to harvest access tokens, basic auth credentials, or other sensitive authentication data from client systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, supply-chain, git, credentials, go
- **Credibility**: unverified
- **Published**: 2026-04-18 05:22:31
- **ID**: 70360
- **URL**: https://whisperx.ai/en/intel/70360