CVE-2025-8959
published 2025-08-15CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.51%
39.4th percentile
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-hashicorp-go-getter | — | — |
| github.com | hashicorp_go-getter | >= 0 < 1.7.9 | 1.7.9 |
| hashicorp | go-getter | < 1.7.9 | 1.7.9 |
| hashicorp | shared_library | < 1.7.8 | 1.7.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter
osv·2025-08-29
CVE-2025-8959 HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter
HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter
HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter
OSV
CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated
osv·2025-08-15·CVSS 7.5
CVE-2025-8959 [HIGH] CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
OSV
HashiCorp go-getter Vulnerable to Symlink Attacks
osv·2025-08-15·CVSS 7.5
CVE-2025-8959 [HIGH] HashiCorp go-getter Vulnerable to Symlink Attacks
HashiCorp go-getter Vulnerable to Symlink Attacks
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
GHSA
HashiCorp go-getter Vulnerable to Symlink Attacks
ghsa·2025-08-15·CVSS 7.5
CVE-2025-8959 [HIGH] CWE-59 HashiCorp go-getter Vulnerable to Symlink Attacks
HashiCorp go-getter Vulnerable to Symlink Attacks
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
Red Hat
github.com/hashicorp/go-getter: HashiCorp go-getter Arbitrary File Read
vendor_redhat·2025-08-15·CVSS 7.5
CVE-2025-8959 [HIGH] CWE-59 github.com/hashicorp/go-getter: HashiCorp go-getter Arbitrary File Read
github.com/hashicorp/go-getter: HashiCorp go-getter Arbitrary File Read
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
A flaw was found in HashiCorp’s go-getter library subdirectory download feature, where it is vulnerable to symlink attacks. This vulnerability can lead to unauthorized read access beyond the designated directory boundaries.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Pac
Debian
CVE-2025-8959: golang-github-hashicorp-go-getter - HashiCorp's go-getter library subdirectory download feature is vulnerable to sym...
vendor_debian·2025·CVSS 7.5
CVE-2025-8959 [HIGH] CVE-2025-8959: golang-github-hashicorp-go-getter - HashiCorp's go-getter library subdirectory download feature is vulnerable to sym...
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
Scope: local
bookworm: open
bullseye: open
No detection rules found.
No public exploits indexed.
2025-08-15
Published