Github.Com Hashicorp Go-Getter vulnerabilities

CVE-2026-4660 [HIGH] CWE-200 HashiCorp's go-getter library may allow arbitrary file reads HashiCorp's go-getter library may allow arbitrary file reads HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

CVE-2025-8959 [HIGH] CWE-59 HashiCorp go-getter Vulnerable to Symlink Attacks HashiCorp go-getter Vulnerable to Symlink Attacks HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

CVE-2024-6257 [HIGH] CWE-77 HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified dest

CVE-2024-3817 [CRITICAL] CWE-88 HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Gi

CVE-2023-0475 [MEDIUM] CWE-409 Data Amplification in HashiCorp go-getter Data Amplification in HashiCorp go-getter HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CVE-2022-26945 [CRITICAL] CWE-77 HashiCorp go-getter command injection HashiCorp go-getter command injection HashiCorp go-getter before 2.0.2 allows Command Injection.

CVE-2022-30323 [HIGH] HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

CVE-2022-30322 [HIGH] HashiCorp go-getter unsafe downloads could lead to arbitrary host access HashiCorp go-getter unsafe downloads could lead to arbitrary host access HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

CVE-2022-30321 [HIGH] HashiCorp go-getter unsafe downloads HashiCorp go-getter unsafe downloads HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

CVE-2022-29810 [MEDIUM] CWE-532 Insertion of Sensitive Information into Log File in Hashicorp go-getter Insertion of Sensitive Information into Log File in Hashicorp go-getter The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.