Vulnerability Report: GO-2026-4403

  • CVE-2025-22873
  • Affects: os
  • Published: Feb 04, 2026

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Affected Packages

  • Path
    Versions
    Symbols
  • os
    before go1.23.9, from go1.24.0-0 before go1.24.3
    all symbols

Aliases

References

Credits

  • Dan Sebastian Thrane of SDU eScience Center

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.