Name: go
CVEs: CVE-2025-22873
CVSSs: n/a
Action Needed: update to >= 1.23.9 or >= 1.24.3
Summary: os: Root permits access to parent directory. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.
See also https://groups.google.com/g/golang-announce/c/UZoIkUT367A.
refmap.gentoo: https://bugs.gentoo.org/955613
Name: go
CVEs: CVE-2025-22873
CVSSs: n/a
Action Needed: update to >= 1.23.9 or >= 1.24.3
Summary: os: Root permits access to parent directory. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.
See also https://groups.google.com/g/golang-announce/c/UZoIkUT367A.
refmap.gentoo: https://bugs.gentoo.org/955613