CVE-2025-0913 – This vulnerability involves inconsistent symlin... (How to Fix)

Q: What is the severity of CVE-2025-0913?

CVE-2025-0913 has a CVSS score of 5.5 (MEDIUM). This vulnerability involves inconsistent symlink handling in Go's os.OpenFile function when using O_CREATE|O_EXCL flags on Windows versus Unix systems. On Windows, when a dangling symlink (symlink pointing to nonexistent location) was targeted, the function would create a file at the symlink's destination, potentially allowing file creation in unintended locations. This affects applications using Go's os.OpenFile with those specific flags on Windows systems.

📋 TL;DR

This vulnerability involves inconsistent symlink handling in Go's os.OpenFile function when using O_CREATE|O_EXCL flags on Windows versus Unix systems. On Windows, when a dangling symlink (symlink pointing to nonexistent location) was targeted, the function would create a file at the symlink's destination, potentially allowing file creation in unintended locations. This affects applications using Go's os.OpenFile with those specific flags on Windows systems.

💻 Affected Systems

Products:

Go programming language
Applications built with Go using os.OpenFile with O_CREATE|O_EXCL flags

Versions: All Go versions before the fix (specific version not provided in CVE details)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems; Unix systems already had proper symlink handling. Requires use of os.OpenFile with both O_CREATE and O_EXCL flags set.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could create files in arbitrary locations on Windows systems, potentially leading to privilege escalation, data corruption, or denial of service if critical system files are overwritten.

🟠

Likely Case

File creation in unintended directories, potentially causing application errors, data integrity issues, or minor privilege boundary violations.

🟢

If Mitigated

Limited impact with proper file permission controls and application sandboxing, though unexpected file creation could still occur.

🌐 Internet-Facing: MEDIUM - Applications exposed to the internet that accept user-controlled file paths could be vulnerable to file creation attacks.

🏢 Internal Only: LOW - Requires local access or ability to create symlinks, limiting impact in most internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires ability to create symlinks and knowledge of target file paths

Exploitation requires local access or ability to influence file paths in vulnerable applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go version with fix (specific version not provided in references)

Vendor Advisory: https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

Restart Required: No

Instructions:

1. Update Go to the patched version. 2. Recompile affected applications with the updated Go compiler. 3. Redeploy updated applications.

🔧 Temporary Workarounds

Avoid O_CREATE|O_EXCL with symlinks

windows

Modify code to check for symlinks before using os.OpenFile with O_CREATE|O_EXCL flags

// Add symlink check before os.OpenFile
if _, err := os.Lstat(path); err == nil {
    if fi, err := os.Lstat(path); err == nil && fi.Mode()&os.ModeSymlink != 0 {
        // Handle symlink case
    }
}

🧯 If You Can't Patch

Implement strict file path validation to prevent user-controlled paths
Run applications with minimal file system permissions and use sandboxing

🔍 How to Verify

Check if Vulnerable:

Check if application uses os.OpenFile with O_CREATE|O_EXCL flags on Windows and test with dangling symlinks

Check Version:

go version

Verify Fix Applied:

Test the same scenario with updated Go version - os.OpenFile should return error when target is symlink

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation errors
Permission denied errors in unexpected locations
Application crashes related to file operations

Network Indicators:

None - local file system vulnerability

SIEM Query:

Search for file creation events in unexpected directories or symlink-related errors in application logs

📊 Metadata

CVE ID: CVE-2025-0913

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-59

EPSS Score: 0.01% exploit probability (1th percentile)

Published: June 11, 2025

Last Updated: August 8, 2025

🔗 References

https://go.dev/cl/672396 Issue Tracking
https://go.dev/issue/73702 Issue Tracking
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A Mailing List
https://pkg.go.dev/vuln/GO-2025-3750 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0913, you might also want to check these: