CVE-2025-22873
Public on 2025-05-12
Modified on 2025-05-12
Description
A directory traversal vulnerability was discovered in the Go programming language's os package in versions prior to 1.24.3. The vulnerability allows improper access to the parent directory of an os.Root by opening a filename ending in "../". When exploited, this vulnerability permits an attacker to open the parent directory of the Root, though it does not allow access to ancestors of the parent or files contained within the parent directory. This issue has been fixed in Go 1.24.3, where Root now correctly returns an error when such access is attempted.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 1 | golang | Not Affected | ||
| HAQM Linux 2 - Core | golang | Not Affected | ||
| HAQM Linux 2023 | golang | 2025-05-21 | ALAS2023-2025-977 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |