Open File Behavior Discrepancy in Go on Unix and Windows Systems
CVE-2025-0913

5.5MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Syscall; Os
Vendor: CVE Published:; 11 June 2025

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-0913?

This vulnerability pertains to the behavior of the Go programming language's OpenFile function when handling dangling symlinks across different operating systems. On Unix systems, using OpenFile with the O_CREATE and O_EXCL flags does not follow symlinks, ensuring that it behaves predictably. However, on Windows, it allows the creation of a file in a location pointed to by a symlink even if that location is invalid. The updated behavior now ensures that OpenFile returns an error when both O_CREATE and O_EXCL flags are set for a symlink, aligning the functionality across platforms and enhancing overall reliability.

Affected Version(s)

os windows 0 < 1.23.10

os windows 1.24.0-0 < 1.24.4

syscall windows 0 < 1.23.10

References

https://go.dev/cl/672396

https://go.dev/issue/73702

https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
Jan 30, 2025

Credit

Junyoung Park and Dong-uk Kim of KAIST Hacking Lab