CVE-2025-22873
Improper access to parent directory of root in os
3.8
LOW
CVSS 3.1
EPSS 0.00%
Description
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
How to fix CVE-2025-22873
To remediate CVE-2025-22873, upgrade the affected package to a fixed version below.
- —upgrade to 1.23.9 or later
- —upgrade to 1.24.4-1 or later
- —upgrade to 1.23.9 or later
Is CVE-2025-22873 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.23.9, >= 1.24.0-0, < 1.24.3
- from 0, < 1.24.4-1
- from 0, < 1.23.9, >= 1.24.0-0, < 1.24.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |