Go Standard Library Os vulnerabilities

CVE-2026-27139 [LOW] CVE-2026-27139: On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the r On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside th

CVE-2025-22873 [LOW] CWE-23 CVE-2025-22873: It was possible to improperly access the parent directory of an os.Root by opening a filename ending It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

CVE-2025-0913 [MEDIUM] CWE-59 CVE-2025-0913: os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the targe os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always r

CVE-2022-41720 [HIGH] CWE-22 CVE-2022-41720: On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and ht On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide