Skip to content

os: Root permits access to parent directory (fix CVE-2025-22873) #73555

New issue
New issue
Closed
Closed
os: Root permits access to parent directory (fix CVE-2025-22873)#73555
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
Go1.25
@neild

Description

@neild
neild
opened on Apr 30, 2025

os: Root permits access to parent directory

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Root now correctly returns an error in this case.

This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue.

This is a PRIVATE issue for CVE-2025-22873, tracked in http://b/408209442.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions