CVE-2025-8959: 
Trivy vulnerability analysis and mitigation

HashiCorp's go-getter library subdirectory download feature contains a security vulnerability identified as CVE-2025-8959. The vulnerability was discovered and disclosed on August 15, 2025, affecting go-getter versions up to 1.7.8. The issue impacts the library's subdirectory download functionality, which is used for downloading files or directories from various sources using URLs (HashiCorp Discussion).

The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access) and has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The technical issue involves the library's handling of symbolic links during content extraction into designated local subdirectories (NVD).

When exploited, this vulnerability allows unauthorized read access beyond the designated directory boundaries across the filesystem. The high CVSS score reflects the potential for significant confidentiality breaches, although integrity and availability are not affected (HashiCorp Discussion).

The vulnerability has been fixed in go-getter version 1.7.9. Users are advised to evaluate the risk associated with their go-getter usage and upgrade to version 1.7.9 or later. The latest go-getter releases can be found on the official GitHub repository (HashiCorp Discussion).