Hashicorp Go-Getter vulnerabilities

9 known vulnerabilities affecting hashicorp/go-getter.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-8959HIGHCVSS 7.5fixed in 1.7.92025-08-15
CVE-2025-8959 [HIGH] CWE-59 CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
nvd
CVE-2024-6257HIGHCVSS 8.8fixed in 1.7.52024-06-25
CVE-2024-6257 [HIGH] CWE-77 CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously mo HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
nvd
CVE-2024-3817CRITICALCVSS 9.8≥ 1.5.9, < 1.7.42024-04-17
CVE-2024-3817 [CRITICAL] CWE-88 CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover rem HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
nvd
CVE-2023-0475MEDIUMCVSS 6.5≤ 1.6.2v2.1.12023-02-16
CVE-2023-0475 [MEDIUM] CWE-409 CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2 HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
cvelistv5nvd
CVE-2022-26945CRITICALCVSS 9.8≤ 1.5.11v2.0.22022-05-25
CVE-2022-26945 [CRITICAL] CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration byp go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
nvd
CVE-2022-30322HIGHCVSS 8.6≤ 1.5.11v2.0.22022-05-25
CVE-2022-30322 [HIGH] CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed mal go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
nvd
CVE-2022-30323HIGHCVSS 8.6≤ 1.5.11v2.0.22022-05-25
CVE-2022-30323 [HIGH] CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6 go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
nvd
CVE-2022-30321HIGHCVSS 8.6≤ 1.5.11v2.0.22022-05-25
CVE-2022-30321 [HIGH] CWE-22 CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
nvd
CVE-2022-29810MEDIUMCVSS 5.5fixed in 1.5.112022-04-27
CVE-2022-29810 [MEDIUM] CWE-532 CVE-2022-29810: The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
nvd