CVE-2025-8959 — Link Following in Shared Library

CWE-59 — Link Following8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 92.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Shared Library Github.com Hashicorp Go-getter Hashicorp Go-getter

Timeline

PublishedAug 15

Latest updateAug 29

Description

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDhashicorp/go-getter< 1.7.9

▶Gogithub.com/hashicorp_go-getter< 1.7.9

▶CVEListV5hashicorp/shared_library< 1.7.8

🔴Vulnerability Details

OSV

HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter↗2025-08-29

▶

OSV

CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated↗2025-08-15

▶

CVEList

HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack↗2025-08-15

▶

OSV

HashiCorp go-getter Vulnerable to Symlink Attacks↗2025-08-15

▶

GHSA

HashiCorp go-getter Vulnerable to Symlink Attacks↗2025-08-15

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/go-getter: HashiCorp go-getter Arbitrary File Read↗2025-08-15

▶

Debian

CVE-2025-8959: golang-github-hashicorp-go-getter - HashiCorp's go-getter library subdirectory download feature is vulnerable to sym...↗2025

▶