CVE-2025-8959 – CVE-2025-8959 is a symlink attack vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-8959?

CVE-2025-8959 has a CVSS score of 7.5 (HIGH). CVE-2025-8959 is a symlink attack vulnerability in HashiCorp's go-getter library that allows attackers to read files outside the intended download directory by exploiting the subdirectory download feature. This affects any software using go-getter to download files, potentially exposing sensitive data. Users of HashiCorp tools or third-party applications relying on go-getter are at risk.

📋 TL;DR

CVE-2025-8959 is a symlink attack vulnerability in HashiCorp's go-getter library that allows attackers to read files outside the intended download directory by exploiting the subdirectory download feature. This affects any software using go-getter to download files, potentially exposing sensitive data. Users of HashiCorp tools or third-party applications relying on go-getter are at risk.

💻 Affected Systems

Products:

HashiCorp go-getter library
Any software using go-getter for downloads

Versions: Versions before 1.7.9

Operating Systems: All operating systems supporting symlinks (e.g., Linux, Unix, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present when using the subdirectory download feature; default usage may not always be affected depending on configuration.

📦 What is this software?

Go Getter by Hashicorp

View all CVEs affecting Go Getter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read arbitrary files on the system, such as configuration files, secrets, or sensitive data, leading to data breaches or privilege escalation.

🟠

Likely Case

Unauthorized access to files in directories adjacent to the download target, compromising application data or credentials.

🟢

If Mitigated

Limited impact if strict file permissions and isolation are enforced, but still poses a data leakage risk.

🌐 Internet-Facing: MEDIUM, as exploitation requires the ability to trigger downloads from attacker-controlled sources, which may be possible in web-facing applications using go-getter.

🏢 Internal Only: LOW, as it typically requires local or network access to manipulate symlinks, reducing exposure in isolated environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to create symlinks and trigger downloads, which may involve social engineering or compromised sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.9

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242

Restart Required: No

Instructions:

1. Update go-getter to version 1.7.9 or later. 2. For Go projects, run 'go get github.com/hashicorp/go-getter@v1.7.9'. 3. Rebuild and redeploy any affected applications.

🔧 Temporary Workarounds

Disable subdirectory downloads

all

Avoid using the subdirectory download feature in go-getter to prevent symlink attacks.

Modify code to set DisableSymlinks: true in go-getter configurations if supported.

🧯 If You Can't Patch

Restrict file permissions to limit read access to sensitive directories.
Isolate download processes using containerization or sandboxing to contain potential breaches.

🔍 How to Verify

Check if Vulnerable:

Check the go-getter version in your project; if below 1.7.9, it is vulnerable. Use 'go list -m github.com/hashicorp/go-getter' in Go projects.

Check Version:

go list -m github.com/hashicorp/go-getter

Verify Fix Applied:

Confirm the go-getter version is 1.7.9 or higher after update. Run 'go version -m' on binaries or check dependency files.

📡 Detection & Monitoring

Log Indicators:

Unexpected file access errors or symlink-related warnings in application logs during download operations.

Network Indicators:

Unusual download patterns from untrusted sources triggering go-getter calls.

SIEM Query:

Search for logs containing 'go-getter' and 'symlink' or 'permission denied' errors in download contexts.

📊 Metadata

CVE ID: CVE-2025-8959

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-59

EPSS Score: 0.02% exploit probability (6.1th percentile)

Published: August 15, 2025

Last Updated: December 11, 2025

🔗 References

https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8959, you might also want to check these: