go-git, HTTP Authentication Credentials Leak via Cross-Host Redirect (CVE: N/A)

Listen to this Post

The vulnerability arises from how go-git handles HTTP redirects during smart-HTTP clone and fetch operations. When a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates its session endpoint to the new location. Crucially, it reuses the original authentication credentials (e.g., Authorization headers) for subsequent requests to the unintended host. An attacker controlling or influencing the redirect target can capture these credentials. This can lead to unauthorized access to the victim’s repositories or other resources, depending on the scope of the leaked credential. The issue is particularly risky when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections. The vulnerability is fixed in go-git versions v5.18.0 and v6.0.0-alpha.2. The patched versions introduce a configurable `followRedirects` policy, with the default set to initial, while allowing users to opt into `FollowRedirects` or NoFollowRedirects. Clients using go-git exclusively with trusted remotes over HTTPS are not affected.

DailyCVE Form:

Platform: go-git library
Version: prior v5.18.0
Vulnerability: credential leak via redirect
Severity: medium
date: 2026-04-17

Prediction: Patch already available

Analytics under heading What Undercode Say:

Check current go-git version
go list -m github.com/go-git/go-git/v5
Test for vulnerability (simulate a redirect)
git clone --verbose https://victim.com/repo.git
Upgrade to patched version
go get github.com/go-git/go-git/[email protected]

How Exploit:

  1. Attacker sets up a malicious Git server that responds to `/info/refs` with a 302 redirect to a different host.
  2. Victim uses go-git to clone or fetch from the attacker’s server.
  3. go-git follows the redirect and sends the victim’s original authentication headers to the attacker’s controlled host.
  4. Attacker captures the credentials and reuses them to access the victim’s resources.

Protection from this CVE:

  • Upgrade to go-git v5.18.0 or v6.0.0-alpha.2.
  • Configure `followRedirects` policy to `NoFollowRedirects` in untrusted environments.
  • Always use HTTPS and avoid unencrypted HTTP connections.
  • Restrict clone/fetch operations to trusted remotes only.

Impact:

An attacker can capture HTTP authentication credentials (e.g., Bearer tokens, Basic Auth) by exploiting cross-host redirects, leading to unauthorized access to the victim’s Git repositories and potentially other services where those credentials are valid.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top