Vulnerability Database

296,857

Total vulnerabilities in the database

CVE-2025-8959

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

Published: Aug 15, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-8959
GHSA: GHSA-wjrx-6529-hcj3
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-59

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/go-getter	-	1.7.9

https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b7
https://pkg.go.dev/vuln/GO-2025-3892

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo