Hashicorp Shared Library vulnerabilities

6 known vulnerabilities affecting hashicorp/shared_library.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-0969HIGHCVSS 8.8≥ 4.3.0, < 6.0.02026-02-12
CVE-2026-0969 [HIGH] CWE-94 CVE-2026-0969: The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execut The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
cvelistv5nvd
CVE-2025-8959HIGHCVSS 7.5fixed in 1.7.82025-08-15
CVE-2025-8959 [HIGH] CWE-59 CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
cvelistv5nvd
CVE-2025-0377CRITICALCVSS 9.1fixed in 0.16.22025-01-21
CVE-2025-0377 [CRITICAL] CWE-59 CVE-2025-0377: HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provid HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
cvelistv5nvd
CVE-2024-6257HIGHCVSS 8.8fixed in 1.7.42024-06-25
CVE-2024-6257 [HIGH] CWE-77 CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously mo HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
cvelistv5nvd
CVE-2024-6104MEDIUMCVSS 5.5fixed in 0.7.72024-06-24
CVE-2024-6104 [MEDIUM] CWE-532 CVE-2024-6104: go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
cvelistv5nvd
CVE-2024-3817CRITICALCVSS 9.8≥ 1.5.9, < 1.7.32024-04-17
CVE-2024-3817 [CRITICAL] CWE-88 CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover rem HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
cvelistv5nvd