CVE-2025-21614: 
Packer vulnerability analysis and mitigation

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13 (CVE-2025-21614). This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. The vulnerability affects all versions of go-git from v4.0.0 to versions before v5.13.0, and has been assigned a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, NVD).

The vulnerability is specific to the go-git implementation and does not affect the upstream git cli. When a malicious Git server provides specially crafted responses, it can trigger resource exhaustion in go-git clients, leading to a denial of service condition. The vulnerability has been assigned CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) classifications (Red Hat CVE).

The vulnerability can result in denial of service conditions for applications using go-git as a client library. The CVSS metrics indicate that while there is no impact on confidentiality or integrity, there is a high impact on availability. The attack requires no privileges or user interaction and can be executed remotely over the network (GitHub Advisory).

The primary mitigation is to upgrade to go-git version 5.13.0 or later, which contains the fix for this vulnerability. For cases where immediate upgrade is not possible, it is recommended to limit go-git usage to trusted Git servers only to mitigate the risk of DoS attacks (GitHub Advisory, Security Online).

The vulnerability has been acknowledged and addressed by major Linux distributions including Red Hat, which has incorporated the fix into their products. The security community has emphasized the importance of upgrading to the patched version, particularly for organizations using go-git in their development workflows (Red Hat Advisory).