CVE-2025-8959: 
Trivy vulnerability analysis and mitigation

HashiCorp's go-getter library subdirectory download feature was found to contain a security vulnerability (CVE-2025-8959) that allows unauthorized read access beyond designated directory boundaries through symlink attacks. The vulnerability affects go-getter versions up to 1.7.8 and was fixed in version 1.7.9. This security issue was discovered and disclosed on August 15, 2025, by HashiCorp's Product Security team (HashiCorp Advisory).

The vulnerability exists in the subdirectory download functionality of the go-getter library. When downloading specific subdirectories from a fetched source, the library improperly handles symbolic links present in the source repository during content extraction into the designated local subdirectory. This improper link resolution, classified as CWE-59 (Improper Link Resolution Before File Access), allows for unauthorized read access across the filesystem beyond the intended directory boundaries. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD Database).

The vulnerability enables attackers to gain unauthorized read access to files and directories outside the intended directory boundaries through symlink manipulation. This could potentially lead to exposure of sensitive information stored elsewhere in the filesystem that should not be accessible through the go-getter library (HashiCorp Advisory).

Users of the go-getter library are advised to upgrade to version 1.7.9 or later to address this vulnerability. Organizations should evaluate the risk associated with their specific go-getter usage and implement the upgrade accordingly. The fixed version can be obtained from the official go-getter releases repository (HashiCorp Advisory).