CVE-2025-8959

NameCVE-2025-8959
DescriptionHashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111318

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-hashicorp-go-getter (PTS)sid, bookworm, bullseye1.4.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-hashicorp-go-gettersource(unstable)(unfixed)1111318

Notes

[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <postponed> (Minor issue)
https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
Search for package or bug name: Reporting problems