Homepage

Incorrect Behavior Order: Validate Before Canonicalize Affecting argocd-image-updater package, versions <1.2.0-r3

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.01% (1st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-ARGOCDIMAGEUPDATER-16693198
  • published14 May 2026
  • disclosed27 May 2026
Report a new vulnerability Found a mistake?

Introduced: 14 May 2026

NewCVE-2026-45022  (opens in a new tab)
CWE-180  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade Wolfi argocd-image-updater to version 1.2.0-r3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream argocd-image-updater package and not the argocd-image-updater package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.