cbcvebase.
CVE-2025-22873
published 2026-02-04

CVE-2025-22873: It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the…

PriorityP418low3.8CVSS 3.1
AVLACLPRLUINSCCLINAN
EPSS
0.24%
14.8th percentile
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.24 1.24.4-1 (forky)golang-1.24 1.24.4-1 (forky)
debiangolang-1.19< golang-1.24 1.24.4-1 (forky)golang-1.24 1.24.4-1 (forky)
debiangolang-1.24< golang-1.24 1.24.4-1 (forky)golang-1.24 1.24.4-1 (forky)
go_standard_libraryos< 1.23.91.23.9
go_standard_libraryos>= 1.24.0-0 < 1.24.31.24.3
golanggo< 1.23.91.23.9
golanggo>= 1.24.0 < 1.24.31.24.3

CVSS provenance

nvdv3.13.8LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
osv3.8LOW
vendor_debian3.8LOW
vendor_redhat3.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.