CVE-2025-8959

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242

Configurations

No configuration.

History

18 Aug 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) La función de descarga de subdirectorios de la librería Go-getter de HashiCorp es vulnerable a ataques de enlace simbólico, lo que provoca accesos de lectura no autorizados más allá de los límites del directorio designado. Esta vulnerabilidad, identificada como CVE-2025-8959, se corrige en Go-getter 1.7.9.

15 Aug 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-15 21:15

Updated : 2025-08-18 20:16

NVD link : CVE-2025-8959

Mitre link : CVE-2025-8959

CVE.ORG link : CVE-2025-8959

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

7.5 /10