---

CVE-2025-22873 - log back

CVE-2025-22873 edited at 20 May 2025 17:11:02

Description

- It was possible to improperly access the parent directory of a restricted filesystem root created with `os.DirFS`. Calling `Open("../")` on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. + It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. This behavior has been corrected to return an error for such paths.

CVE-2025-22873 edited at 20 May 2025 17:10:44

Description

- it was possible to improperly access the parent directory of a restricted filesystem root created with `os.DirFS`. Calling `Open("../")` on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. + It was possible to improperly access the parent directory of a restricted filesystem root created with `os.DirFS`. Calling `Open("../")` on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. This behavior has been corrected to return an error for such paths.

CVE-2025-22873 edited at 20 May 2025 17:10:34

Description

+ it was possible to improperly access the parent directory of a restricted filesystem root created with `os.DirFS`. Calling `Open("../")` on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. - It was possible to improperly access the parent directory of an os.Root - by opening a filename ending in "../". For example, Root.Open("../") would - open the parent directory of the Root. This escape only permits opening - the parent directory itself, not ancestors of the parent or files contained - within the parent. - Root now correctly returns an error in this case. + This behavior has been corrected to return an error for such paths.

CVE-2025-22873 edited at 19 May 2025 23:36:10
Severity	- Medium + Low
Remote	- Remote + Local
Description	- os: Root permits access to parent directory - It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case.

CVE-2025-22873 created at 19 May 2025 23:34:36
Severity	+ Medium
Remote	+ Remote
Type	+ Directory traversal
Description	+ os: Root permits access to parent directory + + It was possible to improperly access the parent directory of an os.Root + by opening a filename ending in "../". For example, Root.Open("../") would + open the parent directory of the Root. This escape only permits opening + the parent directory itself, not ancestors of the parent or files contained + within the parent. + + Root now correctly returns an error in this case.
References	+ https://github.com/golang/go/issues/73555 + https://go.dev/doc/devel/release#go1.24.3 + https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1
Notes