CVE-2026-44740
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| go-git | go-billy | < 5.9.0 | affected |
| go-git | go-billy | < 6.0.0-alpha.1 | affected |
Weaknesses
- CWE-674: CWE-674: Uncontrolled Recursion
- CWE-835: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6
- https://github.com/go-git/go-billy/releases/tag/v5.9.0
- https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.