CVE-2025-22873

EPSS 0%
Veröffentlicht 04.02.2026 23:15:54
Zuletzt bearbeitet 10.02.2026 15:16:40
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.23.9

Golang ≫ Go Version >= 1.24.0 < 1.24.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0%	0.001

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.8	2	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://go.dev/cl/670036

Patch

Product

https://go.dev/issue/73555

Vendor Advisory

Issue Tracking

https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ

Mailing List

Release Notes

https://pkg.go.dev/vuln/GO-2026-4403

Vendor Advisory

Issue Tracking