CVE-2025-22873

Published: Feb 4, 2026Modified: Feb 10, 2026

3.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 2.0 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.23.9
Golang Go	From 1.24.0 to 1.24.3

Related CWEs

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References (5)

https://go.dev/cl/670036

Source: security@golang.org

PatchProduct

https://go.dev/issue/73555

Source: security@golang.org

Issue TrackingVendor Advisory

https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2026-4403

Source: security@golang.org

Vendor AdvisoryIssue Tracking

http://www.openwall.com/lists/oss-security/2025/05/06/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.