Bug 2335901 (CVE-2025-21614)

Summary: CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, agarcial, akoudelk, alcohan, amctagga, anjoseph, anpicker, aoconnor, aprice, asegurap, bbrownin, bniver, bparees, brainfor, carogers, caswilli, crizzo, danken, dbosanac, dfreiber, dhanak, drosa, drow, dsimansk, dymurray, eglynn, erezende, fdeutsch, flucifre, gkamathe, gmeno, gparvin, groman, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jforrest, jfula, jitsingh, jjoyce, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jreimann, jsamir, jschluet, jwong, kaycoth, kegrant, kingland, koliveir, kshier, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, ljawale, lphiri, lsharar, lsvaty, luizcosta, mabashia, manissin, matzew, mbenjamin, mburns, mdessi, mgarciac, mhackett, mnovotny, mpierce, mrizzi, ngough, njean, nweather, nyancey, oezr, omaciel, ometelka, oramraz, owatkins, pahickey, pakotvan, pbraun, pcattana, pgaikwad, pgrist, pierdipi, ptisnovs, rbobbitt, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, tfister, thason, thavo, vereddy, veshanka, vkrizan, vkumar, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane, zkayyali
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A denial of service (DoS) vulnerability was found in go-git. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which triggers resource exhaustion in go-git clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2335995, 2336014, 2336015, 2336016, 2336017, 2336018, 2336019, 2336020    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-06 17:02:01 UTC 
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Comment 2 errata-xmlrpc 2025-01-20 01:34:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0401 https://access.redhat.com/errata/RHSA-2025:0401
Comment 3 errata-xmlrpc 2025-01-23 09:30:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0662 https://access.redhat.com/errata/RHSA-2025:0662
Comment 4 errata-xmlrpc 2025-01-28 04:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0654 https://access.redhat.com/errata/RHSA-2025:0654
Comment 6 errata-xmlrpc 2025-02-03 22:40:57 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2025:0907 https://access.redhat.com/errata/RHSA-2025:0907
Comment 7 errata-xmlrpc 2025-02-11 10:54:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:1119 https://access.redhat.com/errata/RHSA-2025:1119
Comment 8 errata-xmlrpc 2025-02-11 21:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2025:1334 https://access.redhat.com/errata/RHSA-2025:1334
Comment 9 errata-xmlrpc 2025-02-13 18:14:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2025:1468 https://access.redhat.com/errata/RHSA-2025:1468
Comment 10 errata-xmlrpc 2025-02-25 04:38:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2024:6122 https://access.redhat.com/errata/RHSA-2024:6122
Comment 11 errata-xmlrpc 2025-02-26 13:39:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2025:1869 https://access.redhat.com/errata/RHSA-2025:1869
Comment 12 errata-xmlrpc 2025-02-26 13:47:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1870 https://access.redhat.com/errata/RHSA-2025:1870
Comment 13 errata-xmlrpc 2025-02-26 19:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.15

Via RHSA-2025:1888 https://access.redhat.com/errata/RHSA-2025:1888
Comment 14 errata-xmlrpc 2025-02-27 00:33:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:1704 https://access.redhat.com/errata/RHSA-2025:1704
Comment 16 errata-xmlrpc 2025-03-20 08:38:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.14

Via RHSA-2025:3069 https://access.redhat.com/errata/RHSA-2025:3069