CVE-2025-22873

Published: May 12, 2025Last modified: July 22, 2025

Description

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Severity score breakdown

Parameter	Value
Base score	3.8
Attack Vector	LOCAL
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	CHANGED
Confidentiality	LOW
Integrity impact	NONE
Availability impact	NONE
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	go	Not affected (1.23.8-r0)
Alpaquita Linux	Stream	go	Fixed (1.24.3-r0)
Hardened Containers	23 LTS	go	Not affected (1.23.8-r0)
Hardened Containers	Stream	go	Fixed (1.24.3-r0)

References

http://www.openwall.com/lists/oss-security/2025/05/06/2
https://go.dev/cl/670036
https://go.dev/issue/73555
https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ
https://pkg.go.dev/vuln/GO-2026-4403