GHSA-57q7-rxqq-7vgp
On Windows, `git-sizer` might run a `git` executable within the repository being analyzed
Blast Radius
github.com/github/git-sizerReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
On Windows, if git-sizer is run against a non-bare repository, and that repository has an executable called git.exe, git.bat, etc., then that executable might be run by git-sizer rather than the system git executable. An attacker could try to use social engineering to get a victim to run git-sizer against a hostile repository and thereby get the victim to run arbitrary code.
On Linux or other Unix-derived platforms, a similar problem could occur if the user's PATH has the current directory before the path to the standard git executable, but this is would be a very unusual configuration that has been known for decades to lead to all kinds of security problems.
Patches
Users should update to git-sizer v1.4.0
Workarounds
If you are on Windows, then either
- Don't run
git-sizeragainst a repository that might contain hostile code, or, if you must… - Run
git-sizeragainst a bare clone of the hostile repository, or, if that is not possible… - Make sure that the hostile repository doesn't have an executable in its top-level directory before running
git-sizer.
If you are on Linux or other Unix-based system, then (for myriad reasons!) don't add the current directory to your PATH.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in the
git-sizerproject. - Email us at GitHub support.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/github/git-sizer | all versions | 1.4.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/github/git-sizer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/github/git-sizer to 1.4.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-57q7-rxqq-7vgp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-57q7-rxqq-7vgp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-57q7-rxqq-7vgp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-57q7-rxqq-7vgp in your dependencies?
O3 detects GHSA-57q7-rxqq-7vgp across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.