## Go-Git Library Exposes Critical Integrity Flaw: CVE-2026-25934 Targets .idx and .pack Files A newly disclosed security vulnerability in the widely used Go-Git library exposes a critical flaw in how it verifies data integrity. The vulnerability, tracked as CVE-2026-25934 (GHSA-37cx-329c-33x3), stems from improper verification of data integrity values for .idx and .pack files. This core failure in a fundamental security check within a key dependency for Git operations in Go applications creates a direct vector for potential supply chain attacks and data corruption. The flaw resides in `github.com/go-git/go-git/v5`, a popular library for implementing Git operations in Go. The issue is not a minor bug but a failure in the integrity verification mechanism for Git's packfile format—the compressed object storage that forms the backbone of repository data. The library's inability to properly validate checksums or hashes for .idx (index) and .pack (packed object) files means maliciously altered repository data could be accepted as valid. This vulnerability was serious enough to prompt an immediate security advisory from the project maintainers and a coordinated update to version v5.18.0 to address it. The implications are significant for any application or service relying on this library to clone, fetch, or interact with Git repositories. The risk is not theoretical; it enables a scenario where an attacker could serve a manipulated repository, potentially injecting malicious code or corrupting project history in a way that appears legitimate to the vulnerable client. The silent nature of the failure—a lack of proper verification—means detection would be difficult without the patch. This incident underscores the persistent security pressure on foundational open-source infrastructure and the cascading risks when a core data integrity mechanism fails. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-25934, Go-Git, Supply Chain Security, Git Security, Data Integrity - **Credibility**: unverified - **Published**: 2026-04-20 02:22:32 - **ID**: 71628 - **URL**: https://whisperx.ai/en/intel/71628