CVE-2025-8959
- EPSS 0.02%
- Published 15.08.2025 20:32:52
- Last modified 18.08.2025 20:16:28
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
CVE-2024-3817
- EPSS 0.16%
- Published 17.04.2024 20:15:08
- Last modified 21.11.2024 09:30:27
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
CVE-2023-0475
- EPSS 0.07%
- Published 16.02.2023 19:15:13
- Last modified 21.11.2024 07:37:15
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945
- EPSS 0.1%
- Published 25.05.2022 12:15:08
- Last modified 21.11.2024 06:54:51
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321
- EPSS 1.15%
- Published 25.05.2022 12:15:08
- Last modified 21.11.2024 07:02:34
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322
- EPSS 0.36%
- Published 25.05.2022 12:15:08
- Last modified 21.11.2024 07:02:34
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323
- EPSS 0.36%
- Published 25.05.2022 12:15:08
- Last modified 21.11.2024 07:02:35
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
CVE-2022-29810
- EPSS 0.1%
- Published 27.04.2022 06:15:40
- Last modified 21.11.2024 06:59:43
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.