CVE-2025-0913: 
Golang vulnerability analysis and mitigation

CVE-2025-0913 is a security vulnerability discovered in Go programming language's os.OpenFile function, reported by Junyoung Park and Dong-uk Kim of KAIST Hacking Lab. The vulnerability stems from inconsistent handling of OCREATE|OEXCL flags between Unix and Windows systems when dealing with dangling symlinks. The issue was disclosed on June 11, 2025, and affects Go versions before 1.23.10 and before 1.24.4 (Go Announce).

The vulnerability exists in the os.OpenFile function when used with OCREATE and OEXCL flags. On Unix systems, OpenFile with these flags never follows symlinks, while on Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. This inconsistency in behavior between operating systems could potentially lead to security issues. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could potentially be exploited to create files in unintended locations on Windows systems, leading to security implications when the OCREATE and OEXCL flags are used together with symlinks. The CVSS score indicates high impact on integrity but no impact on confidentiality or availability (NVD).

The vulnerability has been fixed in Go versions 1.23.10 and 1.24.4. The fix ensures that OpenFile always returns an error when the OCREATE and OEXCL flags are both set and the target path is a symlink, providing consistent behavior across all operating systems (Go Announce).