Hashicorp Shared Library vulnerabilities
7 known vulnerabilities affecting hashicorp/shared_library.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-0969P3HIGHCVSS 8.8≥ 4.3.0, < 6.0.02026-02-12
CVE-2026-0969 [HIGH] CWE-94 CVE-2026-0969: The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execut
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
nvd
CVE-2024-3817P3CRITICALCVSS 9.8≥ 1.5.9, < 1.7.32024-04-17
CVE-2024-3817 [CRITICAL] CWE-88 CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover rem
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
nvd
CVE-2024-6257P3HIGHCVSS 8.8fixed in 1.7.42024-06-25
CVE-2024-6257 [HIGH] CWE-77 CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously mo
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
nvd
CVE-2025-0377P3CRITICALCVSS 9.1fixed in 0.16.22025-01-21
CVE-2025-0377 [CRITICAL] CWE-59 CVE-2025-0377: HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provid
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
nvd
CVE-2025-8959P3HIGHCVSS 7.5fixed in 1.7.82025-08-15
CVE-2025-8959 [HIGH] CWE-59 CVE-2025-8959: HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
nvd
CVE-2026-8052P4MEDIUMCVSS 6.0≥ 0.1.0, < 0.1.22026-05-12
CVE-2026-8052 [MEDIUM] CWE-59 CVE-2026-8052: HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on
HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.
nvd
CVE-2024-6104P4MEDIUMCVSS 5.5fixed in 0.7.72024-06-24
CVE-2024-6104 [MEDIUM] CWE-532 CVE-2024-6104: go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
nvd