CVE-2025-22873

EUVD-2025-206863
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA-ADPADP
3.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.23.9
golanggo
1.24.0 ≤
𝑥
< 1.24.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
1.24.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.23
focal
dne
jammy
not-affected
noble
not-affected
oracular
not-affected
plucky
not-affected
questing
not-affected
golang-1.24
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://go.dev/cl/670036
https://go.dev/issue/73555
https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ
https://pkg.go.dev/vuln/GO-2026-4403
http://www.openwall.com/lists/oss-security/2025/05/06/2