logo

Database

Insecure session management In golang-github-hashicorp-go-getter

Description

HashiCorp go-getter Vulnerable to Symlink Attacks HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-89592. NVD-2025-89593. OSV-DEBIAN-2025-89594. OSV-2025-89595. GCVE-2025-89596. SECURITY-TRACKER-CVE-2025-8959

References

1. https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b72. https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/762423. https://pkg.go.dev/vuln/GO-2025-3892

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.