CVE-2025-21613: 
Packer vulnerability analysis and mitigation

An argument injection vulnerability (CVE-2025-21613) was discovered in go-git versions prior to v5.13.0, affecting versions from 4.0.0 onwards. The vulnerability was disclosed on January 5, 2025, and allows attackers to set arbitrary values to git-upload-pack flags. This vulnerability specifically impacts configurations where the file transport protocol is being used, as it's the only protocol that shells out to git binaries (GitHub Advisory, NVD).

The vulnerability is classified as an argument injection vulnerability (CWE-88: Improper Neutralization of Argument Delimiters in a Command). It has received a Critical severity rating with a CVSS v3.1 base score of 9.8, indicating high impact potential. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, suggesting it can be exploited remotely with low attack complexity and requires no privileges or user interaction (CISA-ADP).

Successful exploitation of this vulnerability could lead to command or code execution, exposure of sensitive data, or other unintended behavior when using the file transport protocol. The high CVSS score indicates potential for complete compromise of system confidentiality, integrity, and availability (Red Hat).

The vulnerability has been patched in go-git version 5.13.0. For systems unable to update immediately, it is recommended to enforce strict validation rules for values passed in the URL field. Users should prioritize upgrading to the latest version for comprehensive protection (ASEC).