Hashicorp: >> Go-Getter >> 1.6.0 Security Vulnerabilities
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-08-15
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
CVSS Score
8.4
EPSS Score
0.004
Published
2024-06-25
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
CVSS Score
9.8
EPSS Score
0.011
Published
2024-04-17
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVSS Score
4.2
EPSS Score
0.001
Published
2023-02-16