CVE-2025-22873

EUVD-2025-206863
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.23.9
golanggo
1.24.0 ≤
𝑥
< 1.24.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
trixie
1.24.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.23
focal
dne
jammy
not-affected
noble
not-affected
oracular
not-affected
plucky
not-affected
questing
not-affected
resolute
not-affected
golang-1.24
focal
dne
jammy
needs-triage
noble
needs-triage
oracular
dne
plucky
ignored
questing
needs-triage
resolute
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
golang
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-bin
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-docs
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-misc
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-shared
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-src
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed
golang-tests
Amazon Linux 2023
0:1.24.3-1.amzn2023.0.1
fixed