CVE-2025-21613 - github.com/go-git/go-git/v5 CRITICAL in Amazon Inspector

[nickstrijbos]

A critical security vulnerability (CVE-2025-21613) has been identified in the go-git library. This vulnerability has been flagged as CRITICAL by Amazon Inspector and requires immediate attention. The amazon-ssm-agent project currently uses an outdated version of go-git as specified in the go.mod file here. Can this be patched to v5.13.0?

which is also being used by the amazon-ecs-ami we are currently using. https://github.com/aws/amazon-ecs-ami

amazon-ssm-agent/go.mod

Line 20 in f6ab670

github.com/go-git/go-git/v5 v5.12.0

[drmihalj]

Hello Nick,
Thank you for bringing this to our attention, the team is aware of this issue and fix will be available soon.

[leeuw471]

@drmihalj Any updates on the timeline? Since this is quite a high scoring cve would love to get rid of it.

[drmihalj]

Hi @leeuw471, the fix will be available with the coming release.

[glaubitz]

Hi @leeuw471, the fix will be available with the coming release.

Hello, we're also affected in openSUSE and SUSE Linux Enterprise and I would like to fix this as soon as possible.

Would be great to get a point release with an updated go-git module.

[nickstrijbos]

Hi @leeuw471, the fix will be available with the coming release.

Also when will there be a release coming, can you give us some specifics as of a date?

[Aperocky]

We are expecting to release it this current week.

[nickstrijbos]

We are expecting to release it this current week.

Hi @Aperocky it's already thursday when will be there a release? Also opened up a PR not sure if that was helpfull.

[yaronbenezra]

can you give the date for the upcoming release?

[Aperocky]

The release is now out on Github, regional deployments has been ongoing since earlier this week. Please look for Agent version 3.3.1611.0 which contains the fix.

[TLaue]

Hi @Aperocky, one quick question: has this issue really been solved with version 3.3.1611.0 as the PR #614 is still open and AWS Inspector is still flagging this vulnerability even after updating the SSM agent to version 3.3.1611.0

[glaubitz]

Hi @Aperocky, one quick question: has this issue really been solved with version 3.3.1611.0 as the PR #614 is still open and AWS Inspector is still flagging this vulnerability even after updating the SSM agent to version 3.3.1611.0

Well, go.mod lists the fixed version: https://github.com/aws/amazon-ssm-agent/blob/mainline/go.mod#L20

[TLaue]

The AWS Systems Manager updates the SSM agent to version 3.3.1611.0 but Inspector still reports this new version as vulnerable.

[glaubitz]

The AWS Systems Manager updates the SSM agent to version 3.3.1611.0 but Inspector still reports this new version as vulnerable.

And it's not possible that the Inspector report is wrong? I mean, the go-git module has definitely been updated to the fixed version (>= 5.13.0), so it's definitely fixed.

[leeuw471]

For us after manually updating the SSM agent to 3.3.1611 in the ecs ami ec2 the inspector finding goes away and it's marked as safe

[TLaue]

In this case it might be an issue of the update mechanism when using AWS SSM. Inspector reports the following:

Installed version / Fixed version
0:3.3.1611.0-1.X86_64 / 0:3.3.1611.0-4.36.1

In this case it seems to be not an issue of the SSM agent itself.

[Aperocky]

Thanks for this report, I'll direct this to the the Inspector team to understand what is going on with this:

Installed version / Fixed version
0:3.3.1611.0-1.X86_64 / 0:3.3.1611.0-4.36.1