[pkg-go] Bug#1111318: golang-github-hashicorp-go-getter: CVE-2025-8959
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 16 20:00:30 BST 2025
Source: golang-github-hashicorp-go-getter
Version: 1.4.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for golang-github-hashicorp-go-getter.
CVE-2025-8959[0]:
| HashiCorp's go-getter library subdirectory download feature is
| vulnerable to symlink attacks leading to unauthorized read access
| beyond the designated directory boundaries. This vulnerability,
| identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8959
https://www.cve.org/CVERecord?id=CVE-2025-8959
[1] https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
Regards,
Salvatore
More information about the Pkg-go-maintainers
mailing list