Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN521
_____________________________________________________________________

DATE                : 18/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running HashiCorp go-getter versions
                                    prior to 1.7.9.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
_____________________________________________________________________


HCSEC-2025-23 - HashiCorp go-getter Vulnerable to Arbitrary Read
through Symlink Attack
Security

dduzgun-security


Bulletin ID: HCSEC-2025-23
Affected Products / Versions: go-getter up to 1.7.8; fixed in
go-getter 1.7.9.
Publication Date: Aug 15, 2025


Summary
HashiCorp’s go-getter library subdirectory download feature is
vulnerable to symlink attacks leading to unauthorized read access
beyond the designated directory boundaries. This vulnerability,
identified as CVE-2025-8959, is fixed in go-getter 1.7.9.


Background
HashiCorp’s go-getter is a library for Go for downloading files
or directories from various sources using a URL as the primary form
of input.


Details
Using go-getter to download a specific subdirectories from a
fetched source is prone to symlink attacks. This occurs when a
symbolic link present in the source repository is followed during
content extraction into the designated local subdirectory,
enabling unauthorized read access beyond intended boundaries
across the filesystem.


Remediation
Consumers of the go-getter library downloading files via a
subdirectory should evaluate the risk associated with these issues
in the context of their go-getter usage and upgrade go-getter to
1.7.9 or later. The latest go-getter releases can be found at
https://github.com/hashicorp/go-getter/releases.


Acknowledgement
This issue was identified by the Product Security team at
HashiCorp.

We deeply appreciate any effort to coordinate disclosure of
security vulnerabilities. For information about security at
HashiCorp and the reporting of security vulnerabilities,
please see https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================