Hashicorp: >> Go-Getter >> 1.7.0 Security Vulnerabilities
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-08-15
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
CVSS Score
8.4
EPSS Score
0.004
Published
2024-06-25
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
CVSS Score
9.8
EPSS Score
0.011
Published
2024-04-17