HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Affected Packages

Go github.com/hashicorp/go-getter

Affected versions: 0 (fixed in 1.7.5)

Related CVEs

CVE-2024-6257

Key Information

GHSA ID

GHSA-xfhp-jf8p-mh5w

Published

June 25, 2024 6:31 PM

Last Modified

June 28, 2024 9:43 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/go-getter

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.