Directory Traversal Vulnerability in Go Programming Language
CVE-2025-22873

3.8LOW

Key Information:

Vendor: Go Standard Library
Status: Os
Vendor: CVE Published:; 4 February 2026

🔔 Create Go Standard Library Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2025-22873?

This vulnerability allows unauthorized access to a parent directory of an os.Root by using a filename that ends with '../'. It poses risks as it could potentially expose sensitive information stored within the parent directory. However, this exploit is limited to accessing the direct parent directory only, and does not allow access to its ancestors or the files contained within.

Affected Version(s)

os 0 < 1.23.9

os 1.24.0-0 < 1.24.3

News Articles

CVE-2025-22873 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

References

https://go.dev/cl/670036

https://go.dev/issue/73555

https://groups.google.com/g/golang-announce/c/UZoIkUT367A...

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
📰
First article discovered by Ubuntu
May 11, 2025
Vulnerability Reserved
Jan 8, 2025

Credit

Dan Sebastian Thrane of SDU eScience Center

CVE-2025-22873 Data

.