CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8959 – HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack
https://notcve.org/view.php?id=CVE-2025-8959
15 Aug 2025 — HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. These are all security issues fixed in the terragrunt-0.85.1-1.1 package on the GA media of openSUSE Tumbleweed. • https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6257 – HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
https://notcve.org/view.php?id=CVE-2024-6257
25 Jun 2024 — HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. An update that fixes three vulnerabilities is now available. Trivy was updated to fix the following issues. • https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3817 – HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
https://notcve.org/view.php?id=CVE-2024-3817
17 Apr 2024 — HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package. La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2. These are all security issues fixed in the trivy-0.58.2-1.1 package on the GA media of openSUSE Tumbleweed. • https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •