CVE-2025-22873 — Relative Path Traversal in Standard Library OS

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal9 documents8 sources

Severity

3.8LOWNVD

EPSS

0.0%

top 99.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library OS Golang GO

Timeline

PublishedFeb 4

Latest updateFeb 5

Description

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 2.0 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.24.0 — 1.24.3+1

▶CVEListV5go_standard_library/os1.24.0-0 — 1.24.3+1

Patches

Patch: go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-p3p7-9h4w-jqw2: It was possible to improperly access the parent directory of an os↗2026-02-05

▶

CVEList

Improper access to parent directory of root in os↗2026-02-04

▶

OSV

CVE-2025-22873: It was possible to improperly access the parent directory of an os↗2026-02-04

▶

OSV

Improper access to parent directory of root in os↗2026-02-04

▶

📋Vendor Advisories

Red Hat

os: os: Information disclosure via path traversal using specially crafted filenames↗2026-02-04

▶

Debian

CVE-2025-22873: golang-1.15 - It was possible to improperly access the parent directory of an os.Root by openi...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-22873 os: os: Information disclosure via path traversal using specially crafted filenames↗2026-02-05

▶