[manjaro-security] [ASA-202505-12] go: directory traversal
Andrea Denisse
denisse at archlinux.org
Tue May 20 21:18:44 CEST 2025
Arch Linux Security Advisory ASA-202505-12
==========================================
Severity: Low
Date : 2025-05-19
CVE-ID : CVE-2025-22873
Package : go
Type : directory traversal
Remote : No
Link : https://security.archlinux.org/AVG-2878
Summary
=======
The package go before version 2:1.24.3-1 is vulnerable to directory
traversal.
Resolution
==========
Upgrade to 2:1.24.3-1.
# pacman -Syu "go>=2:1.24.3-1"
The problem has been fixed upstream in version 1.24.3.
Workaround
==========
None.
Description
===========
It was possible to improperly access the parent directory of a
restricted filesystem root created with os.DirFS. Calling Open("../")
on such a filesystem could open the parent directory itself, violating
expected directory confinement. This escape did not allow access to
ancestor directories beyond the parent, nor to files within the parent
directory.
This behavior has been corrected to return an error for such paths.
Impact
======
A local attacker or untrusted component running within a Go application
could bypass directory confinement by accessing the parent directory of
a restricted os.DirFS root using a "../" path.
References
==========
https://github.com/golang/go/issues/73555
https://go.dev/doc/devel/release#go1.24.3
https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1
https://security.archlinux.org/CVE-2025-22873
More information about the manjaro-security
mailing list