CVE-2025-22873
📋 TL;DR
This vulnerability in Go's os.Root implementation allows directory traversal to access the parent directory when opening files ending with '../'. It affects Go applications using os.Root for file operations, potentially exposing files outside intended boundaries. The impact is limited to the immediate parent directory only.
💻 Affected Systems
- Go programming language
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized access to sensitive files in the parent directory, potentially exposing configuration files, credentials, or other protected data.
Likely Case
Limited information disclosure from parent directory contents, but no traversal beyond immediate parent or access to files within parent.
If Mitigated
Minimal impact if proper file permission controls and directory isolation are implemented.
🎯 Exploit Status
Simple path manipulation required. Proof of concept available in Go issue tracker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.23.3
Vendor Advisory: https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ
Restart Required: Yes
Instructions:
1. Update Go to version 1.23.3 or later. 2. Recompile affected applications. 3. Restart services using patched Go runtime.
🔧 Temporary Workarounds
Input validation for file paths
allValidate and sanitize file paths before passing to os.Root operations.
Chroot/jail isolation
linuxUse chroot or similar isolation mechanisms to limit filesystem access.
🧯 If You Can't Patch
- Implement strict input validation to reject paths containing '../' sequences.
- Use application-level access controls to restrict which directories can be accessed.
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version'. If version is between 1.23.0 and 1.23.2, system is vulnerable.Check Version:
go versionVerify Fix Applied:
After updating, verify Go version is 1.23.3 or later with 'go version'.📡 Detection & Monitoring
Log Indicators:
- Failed file access attempts with '../' patterns
- Unexpected directory access patterns
Network Indicators:
- HTTP requests with '../' in file paths
- Unusual file access patterns from applications
SIEM Query:
source="application_logs" AND ("../" OR "directory traversal")