Bug 2335901 (CVE-2025-21614)

Summary: CVE-2025-21614 go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, agarcial, alcohan, amctagga, anjoseph, aoconnor, aprice, asegurap, bkabrda, bniver, brainfor, caswilli, danken, dbosanac, dfreiber, dhanak, drow, dsimansk, dymurray, eglynn, fdeutsch, flucifre, gkamathe, gmeno, gparvin, jburrell, jforrest, jitsingh, jjoyce, jkoehler, jmatthew, jprabhak, jreimann, jsamir, jschluet, jwong, kaycoth, kingland, kshier, kverlaen, lball, lchilton, lgamliel, lhh, lphiri, lsharar, lsvaty, luizcosta, matzew, mbenjamin, mburns, mdessi, mgarciac, mhackett, mnovotny, mpierce, mrizzi, ngough, njean, nweather, omaciel, oramraz, owatkins, pahickey, pcattana, pgrist, pierdipi, rbobbitt, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, sausingh, sdawley, sfeifer, smullick, sostapov, stcannon, sthirugn, stirabos, thason, vereddy, veshanka, vkrizan, vkumar, whayutin, wtam, yguenane, zkayyali
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A denial of service (DoS) vulnerability was found in go-git. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which triggers resource exhaustion in go-git clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2335995, 2336014, 2336015, 2336016, 2336017, 2336018, 2336019, 2336020    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-06 17:02:01 UTC 
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Comment 2 errata-xmlrpc 2025-01-20 01:34:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0401 https://access.redhat.com/errata/RHSA-2025:0401
Comment 3 errata-xmlrpc 2025-01-23 09:30:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0662 https://access.redhat.com/errata/RHSA-2025:0662
Comment 4 errata-xmlrpc 2025-01-28 04:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0654 https://access.redhat.com/errata/RHSA-2025:0654
Comment 6 errata-xmlrpc 2025-02-03 22:40:57 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2025:0907 https://access.redhat.com/errata/RHSA-2025:0907
Comment 7 errata-xmlrpc 2025-02-11 10:54:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:1119 https://access.redhat.com/errata/RHSA-2025:1119
Comment 8 errata-xmlrpc 2025-02-11 21:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2025:1334 https://access.redhat.com/errata/RHSA-2025:1334
Comment 9 errata-xmlrpc 2025-02-13 18:14:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2025:1468 https://access.redhat.com/errata/RHSA-2025:1468
Comment 10 errata-xmlrpc 2025-02-25 04:38:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2024:6122 https://access.redhat.com/errata/RHSA-2024:6122
Comment 11 errata-xmlrpc 2025-02-26 13:39:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2025:1869 https://access.redhat.com/errata/RHSA-2025:1869
Comment 12 errata-xmlrpc 2025-02-26 13:47:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1870 https://access.redhat.com/errata/RHSA-2025:1870
Comment 13 errata-xmlrpc 2025-02-26 19:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.15

Via RHSA-2025:1888 https://access.redhat.com/errata/RHSA-2025:1888
Comment 14 errata-xmlrpc 2025-02-27 00:33:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:1704 https://access.redhat.com/errata/RHSA-2025:1704
Comment 16 errata-xmlrpc 2025-03-20 08:38:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.14

Via RHSA-2025:3069 https://access.redhat.com/errata/RHSA-2025:3069