go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
GHSA-m3xc-h892-ggx6 · CVE-2026-44740
Published · Modified
Description
Impact
Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption.
These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.
Credits
Thanks to @faran66 for finding and reporting this issue privately to the go-git project. 🙇
References
- WEB https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44740
- PACKAGE https://github.com/go-git/go-billy
- WEB https://github.com/go-git/go-billy/releases/tag/v5.9.0
- WEB https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes