CVE-2025-8959

Summary

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

Affected Software

VendorProductVersion RangeStatus
HashiCorpShared library0 < 1.7.8affected

Weaknesses

  • CWE-59: CWE-59: Improper Link Resolution Before File Access (Link Following)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References