Login Sign Up

CVE-2022-26945

9.8 CRITICAL

📋 TL;DR

This vulnerability in the go-getter library allows attackers to bypass security controls, switch protocols, and create endless redirects by manipulating custom HTTP response headers. It affects applications using go-getter versions up to 1.5.11 and 2.0.2 for downloading files or retrieving resources. The high CVSS score indicates critical impact potential.

💻 Affected Systems

Products:
  • go-getter library
  • HashiCorp products using go-getter
  • Applications embedding go-getter
Versions: go-getter <=1.5.11, <=2.0.2
Operating Systems: All platforms where go-getter is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable go-getter versions for HTTP-based resource retrieval is affected regardless of configuration.

📦 What is this software?

Go Getter by Hashicorp

View all CVEs affecting Go Getter →

Go Getter by Hashicorp

View all CVEs affecting Go Getter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution, data exfiltration, or service disruption via malicious file downloads or resource retrieval.

🟠

Likely Case

Unauthorized access to internal systems, configuration bypass leading to data leakage, or denial of service through endless redirect loops.

🟢

If Mitigated

Limited impact with proper network segmentation, input validation, and monitoring in place, potentially reduced to minor configuration issues.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the vulnerable service but no authentication. The vulnerability is in header processing logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: go-getter 1.6.1, 2.1.0

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Restart Required: Yes

Instructions:

1. Identify all applications using go-getter. 2. Update go-getter dependency to 1.6.1+ or 2.1.0+. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.

🔧 Temporary Workarounds

Network restriction

all

Restrict network access to only trusted sources for go-getter operations

Use firewall rules to limit outbound/inbound connections

Input validation

all

Implement strict validation of URLs and headers before passing to go-getter

Add validation layer in application code

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable systems
  • Deploy WAF or proxy with strict header validation and redirect limits

🔍 How to Verify

Check if Vulnerable:

Check go.mod or dependency files for go-getter version <=1.5.11 or <=2.0.2

Check Version:

go list -m github.com/hashicorp/go-getter

Verify Fix Applied:

Verify go-getter version is >=1.6.1 or >=2.1.0 in dependencies

📡 Detection & Monitoring

Log Indicators:

  • Unusual redirect patterns
  • Multiple HTTP requests to unexpected domains
  • Header manipulation attempts

Network Indicators:

  • Excessive redirects in HTTP traffic
  • Protocol switching attempts
  • Unusual custom headers

SIEM Query:

http.status_code:3* AND (url:*redirect* OR user_agent:*go-getter*)

📊 Metadata

CVE ID: CVE-2022-26945
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON