HCSEC-2023-04 - go-getter vulnerable to denial of service via malicious compressed archive

Bulletin ID: HCSEC-2023-04
Affected Products / Versions: go-getter up to 1.6.2 and 2.1.1; fixed in 1.7.0 and 2.2.0.
Publication Date: February 13, 2023**

HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0.

HashiCorp’s go-getter is a Go library for downloading files or directories from various sources using a URL as the primary form of input.

During internal testing, we observed that it was possible to reliably crash the go-getter library using a maliciously crafted compressed archive. This requires an attacker to have access to provide malicious URL inputs to the library using a decompressor.

Exposure of this issue will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter.

Consumers of the go-getter library should evaluate the risk associated with this issue in the context of their go-getter usage and consider upgrading to go-getter 1.7.0 and 2.2.0, or newer.

Review and consider using new configuration options for go-getter decompressors (FileSizeLimit and FilesLimit) to address exposure.

This issue was identified by HashiCorp’s Partner Solution engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.