The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters).
Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Moduleawarego_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0190" }