Bulletin ID: HCSEC-2025-23
Affected Products / Versions: go-getter up to 1.7.8; fixed in go-getter 1.7.9.
Publication Date: Aug 15, 2025
Summary
HashiCorp’s go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
Background
HashiCorp’s go-getter is a library for Go for downloading files or directories from various sources using a URL as the primary form of input.
Details
Using go-getter to download a specific subdirectories from a fetched source is prone to symlink attacks. This occurs when a symbolic link present in the source repository is followed during content extraction into the designated local subdirectory, enabling unauthorized read access beyond intended boundaries across the filesystem.
Remediation
Consumers of the go-getter library downloading files via a subdirectory should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.9 or later. The latest go-getter releases can be found at https://github.com/hashicorp/go-getter/releases.
Acknowledgement
This issue was identified by the Product Security team at HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.