CVE-2025-8959

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-8959

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8959.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-8959

Aliases

Downstream

DEBIAN-CVE-2025-8959

MINI-7q9q-grfc-38gr

MINI-f6qm-v4vw-gq33

MINI-m96j-jmpv-c4hq

MINI-qhc9-hjv6-wcxx

MINI-v5j8-5cpf-42r6

MINI-v6w6-7pw3-v9g4

MINI-vp6f-gmx2-p552

UBUNTU-CVE-2025-8959

Related

Published

2025-08-15T21:15:37Z

Modified

2025-08-29T15:42:11.028Z

Summary

[none]

Details

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

References

https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242

Affected packages