Fluid Attacks Database

Description

Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/go-git/go-billy/v6	>=0 <6.0.0-alpha.1	6.0.0-alpha.1
go	github.com/go-git/go-billy/v5	>=0 <5.9.0	5.9.0
debian 13	golang-github-go-git-go-billy	=5.5.0-1 \|\| =5.5.0-2 \|\| =5.8.0-1	-
debian 14	golang-github-go-git-go-billy-v6	=6~git20260226.45bd095-1 \|\| =6~git20260226.45bd095-2	-
debian 12	golang-github-go-git-go-billy	=5.3.1-3 \|\| =5.5.0-1 \|\| =5.5.0-2 \|\| =5.8.0-1	-
debian 14	golang-github-go-git-go-billy	=5.5.0-1 \|\| =5.5.0-2 \|\| =5.8.0-1	-

Aliases

1. CVE-2026-449732. NVD-2026-449733. OSV-2026-449734. OSV-DEBIAN-2026-449735. GHSA-qw64-3x98-g7q26. GCVE-2026-449737. SECURITY-TRACKER-CVE-2026-44973

References

1. https://github.com/go-git/go-billy/security/advisories/GHSA-qw64-3x98-g7q22. https://github.com/go-git/go-billy/releases/tag/v5.9.03. https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1