GHSA-qw64-3x98-g7q2

Suggest an improvement

Source

https://github.com/advisories/GHSA-qw64-3x98-g7q2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qw64-3x98-g7q2/GHSA-qw64-3x98-g7q2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qw64-3x98-g7q2

Aliases

CVE-2026-44973

Downstream

MINI-22w9-f6jr-qjx9

MINI-22wp-x7jr-5cxj

MINI-244m-8hpr-mc45

MINI-25qr-m9j8-f448

MINI-285f-qq36-4948

MINI-297j-wxvv-p25x

MINI-2m56-r4wj-gx76

MINI-2ph5-8p8v-hcc3

MINI-2wv9-7767-42w5

MINI-32hx-mwj6-q3rv

MINI-32p9-v882-3rxq

MINI-393v-7cpp-wpw2

MINI-3q4g-94r3-gcgp

MINI-3qgc-qrg7-r563

MINI-3x98-fp6p-mrwj

MINI-3xcr-mphg-29r4

MINI-423p-w8wm-xrj2

MINI-445j-g3jp-55hc

MINI-445p-c3xp-5grm

MINI-464v-9qh7-qf57

MINI-468m-gjpv-39g5

MINI-46wm-c9rj-85w7

MINI-4qjv-9x76-q43q

MINI-576v-9j3g-qxj7

MINI-5c34-vfwg-cf3q

MINI-5fh2-3m5q-wv3c

MINI-5fm3-xv2q-hfgj

MINI-5p2w-jhjg-7w3q

MINI-5rh7-gw82-6pc4

MINI-5vm4-v75x-2gcr

MINI-68vf-fjp9-pjp3

MINI-6g2p-3fhm-r59h

MINI-6h6x-gj72-cj49

MINI-6j65-xgjg-p65f

MINI-6jjx-g8mx-h3gj

MINI-6wf5-hm88-5w7h

MINI-6x73-xh6f-h4v8

MINI-7267-3rh2-pgj2

MINI-77v4-f966-pjf4

MINI-7ghp-wf97-pw45

MINI-7j2g-jhg9-wjhv

MINI-7v9r-m976-cc67

MINI-833p-rcr2-jvp6

MINI-89p3-xhf6-2q3g

MINI-8g5w-p3gc-63f3

MINI-8mjw-335h-843g

MINI-8qr6-39wx-xqf3

MINI-8xwv-xjr2-36pm

MINI-9287-4939-rvvh

MINI-97qj-rh9x-mgfw

MINI-9c9f-pxpj-6h2q

MINI-9cjh-3vx5-qg3w

MINI-9grv-prqr-ch8x

MINI-9h43-5g5m-mr5j

MINI-9h69-j9gr-8g93

MINI-9m53-6xpv-7r8m

MINI-9q95-73gr-33x2

MINI-9rpg-6h85-gccj

MINI-9rxh-gv88-273q

MINI-cg4j-f6jx-xr9r

MINI-cp8h-cwhx-gxr2

MINI-f6f7-3q88-gq2j

MINI-f822-6cjv-3cxj

MINI-fm3g-5w5g-p6x6

MINI-fpg8-q2jq-7fwr

MINI-fpqx-2gm4-7j59

MINI-g2r4-m59m-jhh4

MINI-g2vh-wcpv-hgg8

MINI-g3ff-3964-p7cg

MINI-g4qm-cjx4-879g

MINI-g863-xcxv-m848

MINI-gcfq-cvjq-6h36

MINI-ggrh-w467-2p56

MINI-gj3c-q7cx-v47g

MINI-gmg7-6mgj-qhhr

MINI-h2mm-6m79-3vr5

MINI-h4cc-r8q4-6w5g

MINI-h6g6-q8pc-hh4f

MINI-hc9w-x8jw-qc75

MINI-hcrf-gvg9-xg6j

MINI-hf33-vjrw-j9jv

MINI-hf45-7p3q-c4r3

MINI-hg25-9r48-5w8v

MINI-hgjp-9j6h-8j8j

MINI-hvm8-f9x7-vgv3

MINI-hvxp-gr8m-4q6x

MINI-hx47-mw98-g5vh

MINI-hx58-48m8-wj7m

MINI-j2h9-w953-mw2r

MINI-j5x5-cr4g-vjr7

MINI-j69h-gpqp-75cp

MINI-j963-7qvv-c52x

MINI-jgm2-p6r5-7w87

MINI-jhvr-v6m2-rxf2

MINI-jq5f-8v9m-mwjh

MINI-jrc7-v9c8-cv4v

MINI-m5c8-hh6m-wcxx

MINI-m8ww-34v7-4pgc

MINI-m9vq-7vp6-886x

MINI-mg24-v755-pj27

MINI-mgq5-9qj7-mpc8

MINI-mgrc-jgfg-4h4j

MINI-mhmc-jjpv-6qxv

MINI-mhrf-fjq8-hvvq

MINI-mjmm-vp66-mxjc

MINI-mqp3-46f9-7p37

MINI-mw97-pr43-wwrw

MINI-p2r2-wxwh-pr5f

MINI-p823-g969-jpj2

MINI-p966-gh94-5f7v

MINI-pgjw-gwxc-rm4g

MINI-pmh5-jr8j-5p9v

MINI-ppvx-fq59-w5fg

MINI-q3m3-hp37-mwrc

MINI-qc6w-6r7f-4g69

MINI-qcpm-4j9v-phj8

MINI-qfpp-6g3x-4rm7

MINI-qgpf-hv99-xcph

MINI-qjrp-2863-9xp9

MINI-qjxc-56fv-8xx8

MINI-qwh8-qqrc-mgc3

MINI-qx52-mhj3-2r42

MINI-r9j3-q452-7fx2

MINI-r9jm-f3v9-9499

MINI-r9xm-qmqq-v2q3

MINI-rc87-mgmr-cqwv

MINI-rv3f-j8rf-c25f

MINI-rxr4-x4cp-888x

MINI-v48q-9c95-47vx

MINI-v4hp-g83w-2232

MINI-v77p-8g43-hm73

MINI-v7pw-xrj6-9gmm

MINI-v8rv-v4fw-23hv

MINI-vfph-2jfx-fcx6

MINI-vw32-p44w-ff38

MINI-w34w-5w5h-9cj3

MINI-w39c-wg63-fppr

MINI-w5gf-h4f6-rq5r

MINI-w75c-6746-66mg

MINI-w7p2-7829-qqr3

MINI-x3pq-p839-wcf6

MINI-x7m4-8p3h-v5v8

MINI-x8mf-vv94-9wp6

MINI-xc6f-4vwf-cfgj

MINI-xgfr-vcpj-gpcm

MINI-xq9p-gv5p-mr6g

MINI-xv26-rfv6-q3xq

MINI-xvwf-xh72-j2m8

Related

CGA-w99c-3vgh-qrg5

Published

2026-05-14T18:25:38Z

Modified

2026-06-09T10:30:12.800615329Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

go-billy has path traversal vulnerabilities

Details

Impact

Multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations.

The osfs.ChrootOS implementation is notably affected by this vulnerability and is now deprecated in v5, removed at v6. Users are recommended to move on to osfs.BoundOS instead: osfs.New(path, WithBoundOS()).

Users requiring stronger security boundary enforcement are recommended to upgrade to v6, where the osfs implementation are backed by the traversal-resistant primitive os.Root.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.

Credits

Thanks to @faran66 and @vnykmshr for finding and separately reporting this issue privately to the go-git project. 🙇

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-05-28T22:16:59Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-05-14T18:25:38Z"
}

References

Affected packages

Go / github.com/go-git/go-billy/v5

Package

Name: github.com/go-git/go-billy/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-git/go-billy/v5

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.9.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qw64-3x98-g7q2/GHSA-qw64-3x98-g7q2.json"

Go / github.com/go-git/go-billy/v6

Package

Name: github.com/go-git/go-billy/v6; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-git/go-billy/v6

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.0-alpha.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qw64-3x98-g7q2/GHSA-qw64-3x98-g7q2.json"