CVE-2025-8959 | THREATINT

Description

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

PUBLISHED Reserved 2025-08-13 | Published 2025-08-15 | Updated 2025-08-15 | Assigner HashiCorp

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-59: Improper Link Resolution Before File Access (Link Following)

Product status

Default status

unaffected

Any version before 1.7.8

affected

References

discuss.hashicorp.com/...y-read-through-symlink-attack/76242

cve.org (CVE-2025-8959)

nvd.nist.gov (CVE-2025-8959)

Download JSON