## CVE-2026-45022: go-git Library Patches Malformed Object Parsing Discrepancy Against Upstream Git
The go-git project has released version 5.19.0 to address a security vulnerability that could allow specially crafted Git objects to be parsed differently than upstream Git implementations. The flaw, tracked as CVE-2026-45022 and documented as GHSA-389r-gv7p-r3rp, affects the go-git v5 library's handling of malformed commit and tag objects.

The vulnerability stems from go-git's parsing logic diverging from the reference Git implementation when processing malformed objects. This inconsistency could enable an attacker to create repository objects that behave differently depending on whether they are processed by go-git-based tools or standard Git clients. Applications relying on go-git for repository operations—including code hosting platforms, CI/CD tooling, and security scanning systems—may be exposed if they process untrusted repositories or receive pull requests from external sources.

The security advisory recommends immediate updating to go-git v5.19.0 from the previous v5.18.0 release. Projects using older versions should audit their exposure, particularly those operating in multi-client environments where go-git tools interact with conventional Git installations. The parsing discrepancy raises concerns for security-critical workflows where object integrity and consistent interpretation across tools are essential. Maintainers of affected packages should monitor for downstream updates and verify that their dependency chains incorporate the patched version.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-45022, security vulnerability, git parsing, open source, dependency update
- **Credibility**: unverified
- **Published**: 2026-05-12 06:18:29
- **ID**: 82109
- **URL**: https://whisperx.ai/en/intel/82109