CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8959 – HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack
https://notcve.org/view.php?id=CVE-2025-8959
15 Aug 2025 — HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. • https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0377 – HashiCorp go-slug Vulnerable to Zip Slip Attack
https://notcve.org/view.php?id=CVE-2025-0377
21 Jan 2025 — HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This update for govulncheck-vulndb fixes the following issues. • https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6257 – HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
https://notcve.org/view.php?id=CVE-2024-6257
25 Jun 2024 — HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. An update that fixes three vulnerabilities is now available. Trivy was updated to fix the following issues. • https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6104 – go-retryablehttp can leak basic auth credentials to log files
https://notcve.org/view.php?id=CVE-2024-6104
24 Jun 2024 — go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. • https://discuss.hashicorp.com/c/security • CWE-532: Insertion of Sensitive Information into Log File •