CVE-2025-22873

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-22873
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22873.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-22873
Aliases
Downstream
Related
Published
2026-02-04T23:15:54.220Z
Modified
2026-03-12T18:09:24.719192Z
Severity
  • 3.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

References

Affected packages

Git / github.com/golang/go

Affected ranges

Type
GIT
Repo
https://github.com/golang/go
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f77084d15d53e6aa09d2e7f867e69cc9766da2c5
Introduced
3901409b5d0fb7c85a3e6730a59943cc93b2835c
Fixed
34c8b14ca9f4096383d658fbd748322a993a2bd2
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.23.9"
        },
        {
            "introduced": "1.24.0"
        },
        {
            "fixed": "1.24.3"
        }
    ]
}

Affected versions

go1.*
go1.24.0
go1.24.1
go1.24.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22873.json"