CVE-2025-22873
published 2026-02-04CVE-2025-22873: It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the…
PriorityP418low3.8CVSS 3.1
AVLACLPRLUINSCCLINAN
EPSS
0.24%
14.8th percentile
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.4-1 (forky) | golang-1.24 1.24.4-1 (forky) |
| go_standard_library | os | < 1.23.9 | 1.23.9 |
| go_standard_library | os | >= 1.24.0-0 < 1.24.3 | 1.24.3 |
| golang | go | < 1.23.9 | 1.23.9 |
| golang | go | >= 1.24.0 < 1.24.3 | 1.24.3 |
CVSS provenance
nvdv3.13.8LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
osv3.8LOW
vendor_debian3.8LOW
vendor_redhat3.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p3p7-9h4w-jqw2: It was possible to improperly access the parent directory of an os
ghsa_unreviewed·2026-02-05
CVE-2025-22873 [LOW] CWE-23 GHSA-p3p7-9h4w-jqw2: It was possible to improperly access the parent directory of an os
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
OSV
CVE-2025-22873: It was possible to improperly access the parent directory of an os
osv·2026-02-04·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873: It was possible to improperly access the parent directory of an os
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
OSV
Improper access to parent directory of root in os
osv·2026-02-04
CVE-2025-22873 Improper access to parent directory of root in os
Improper access to parent directory of root in os
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Red Hat
os: os: Information disclosure via path traversal using specially crafted filenames
vendor_redhat·2026-02-04·CVSS 3.8
CVE-2025-22873 [LOW] CWE-22 os: os: Information disclosure via path traversal using specially crafted filenames
os: os: Information disclosure via path traversal using specially crafted filenames
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
A path traversal vulnerability has been identified in the Go os package affecting the Root abstraction, where improper handling of trailing path separators could allow access to the parent directory of a configured root directory. By supplying a filename ending in "../", an attacker may be able to open the immediate parent directory of the intended Root. Although this escape does not allow travers
Debian
CVE-2025-22873: golang-1.15 - It was possible to improperly access the parent directory of an os.Root by openi...
vendor_debian·2025·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873: golang-1.15 - It was possible to improperly access the parent directory of an os.Root by openi...
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-22873 os: os: Information disclosure via path traversal using specially crafted filenames
bugzilla·2026-02-05·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873 os: os: Information disclosure via path traversal using specially crafted filenames
CVE-2025-22873 os: os: Information disclosure via path traversal using specially crafted filenames
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Wiz
CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22873 :
Datadog Agent vulnerability analysis and mitigation
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Source : NVD
## 3.8
Score
Published February 4, 2026
Severity LOW
CNA Score 3.8
Affected Technologies
Datadog Agent
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
container-tools:rhel8::runc
containerd-1
Sources
Alpine 3.1
2026-02-04
Published