{"package":"gopkg.in/src-d/go-git.v4","ecosystem":"go","latest_version":"v4.13.1","description":"","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/gopkg.in/src-d/go-git.v4","repository":"","downloads_weekly":0,"health":{"score":12,"risk":"critical","breakdown":{"maintenance":0,"popularity":0,"security":0,"maturity":12,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":8,"critical":2,"high":2,"medium":0,"low":4,"details":[{"vuln_id":"CVE-2023-49569","severity":"critical","summary":"Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients","affected_versions":">=5.0.0,<5.11.0|>=4.0.0,<=4.13.1","fixed_version":"5.11.0","source":"osv","published_at":"2024-01-10T15:37:05Z","in_kev":false,"epss_prob":0.04027,"epss_percentile":0.88522,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-49568","severity":"high","summary":"Maliciously crafted Git server replies can cause DoS on go-git clients","affected_versions":"<5.11.0|>=4.7.1,<=4.13.1","fixed_version":"5.11.0","source":"osv","published_at":"2023-12-27T15:06:52Z","in_kev":false,"epss_prob":0.00112,"epss_percentile":0.2941,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21614","severity":"high","summary":"go-git clients vulnerable to DoS via maliciously crafted Git server replies","affected_versions":">=4.0.0,<=4.13.1|<5.13.0|>=4.0.0,<=4.13.1","fixed_version":"5.13.0","source":"osv","published_at":"2025-01-06T16:20:28Z","in_kev":false,"epss_prob":0.00222,"epss_percentile":0.44668,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21613","severity":"critical","summary":"go-git has an Argument Injection via the URL field","affected_versions":">=4.0.0,<=4.13.1|<5.13.0","fixed_version":"5.13.0","source":"osv","published_at":"2025-01-06T16:16:30Z","in_kev":false,"epss_prob":0.0286,"epss_percentile":0.86297,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-49569","severity":"unknown","summary":"Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4","affected_versions":">=4.7.1|>=5.0.0,<5.11.0","fixed_version":"5.11.0","source":"osv","published_at":"2024-01-23T15:29:09Z","in_kev":false,"epss_prob":0.04027,"epss_percentile":0.88522,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-49568","severity":"unknown","summary":"Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4","affected_versions":">=4.7.1|>=5.0.0,<5.11.0","fixed_version":"5.11.0","source":"osv","published_at":"2024-01-23T18:00:21Z","in_kev":false,"epss_prob":0.00112,"epss_percentile":0.2941,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21614","severity":"unknown","summary":"Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git","affected_versions":">=4.0.0|<5.13.0|>=4.0.0","fixed_version":"5.13.0","source":"osv","published_at":"2025-01-07T16:03:20Z","in_kev":false,"epss_prob":0.00222,"epss_percentile":0.44668,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21613","severity":"unknown","summary":"Argument Injection via the URL field in github.com/go-git/go-git","affected_versions":">=4.0.0|<5.13.0|>=4.0.0","fixed_version":"5.13.0","source":"osv","published_at":"2025-01-07T16:04:06Z","in_kev":false,"epss_prob":0.0286,"epss_percentile":0.86297,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v4.13.1","total_count":37,"recent":["v4.0.0-rc13","v4.9.0","v4.0.0-rc9","v4.8.0","v4.3.0","v4.5.0","v4.6.0","v4.12.0","v4.1.0","v4.10.0","v4.13.0","v4.9.1","v4.3.1","v4.0.0-rc5","v4.0.0-rc3","v4.2.0","v4.7.1","v4.0.0-rc8","v4.0.0-rc14","v4.4.1"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2019-08-01T15:22:48Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Moderate health score (12/100) — verify manually","2 high severity vulnerabilities","2 critical vulnerabilities"],"use_version":"v4.13.1","version_hint":"Update to >= 5.13.0 to fix known vulnerabilities","summary":"gopkg.in/src-d/go-git.v4 has critical vulnerabilities — do not use"},"version_scoped":null,"_meta":{"endpoint":"check","tier":"full","philosophy":"DepScope is free. Use the cheapest endpoint that answers your real question.","cheaper_alternatives":[{"endpoint":"/api/exists/go/gopkg.in%2Fsrc-d%2Fgo-git.v4","tokens_estimated":12,"use_when":"you only need to know if the package exists (hallucination guard)"},{"endpoint":"/api/health/go/gopkg.in%2Fsrc-d%2Fgo-git.v4","tokens_estimated":80,"use_when":"you only need a 0-100 score for go/no-go (>=70 = safe)"},{"endpoint":"/api/prompt/go/gopkg.in%2Fsrc-d%2Fgo-git.v4","tokens_estimated":280,"use_when":"you want a plain-text LLM-friendly brief instead of JSON"},{"endpoint":"POST /api/check_bulk","tokens_estimated":60,"use_when":"you have 5+ packages to check; sends one round-trip instead of N"}],"docs":"https://depscope.dev/integrate"},"requested_version":null,"_cache":"miss","_response_ms":1146,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":21,"first_release_age_days":null,"last_release_days_ago":2467,"avg_days_between_releases":null,"release_velocity":"stale"}}