Arch Linux Security Advisory ASA-202505-12 ========================================== Severity: Low Date : 2025-05-19 CVE-ID : CVE-2025-22873 Package : go Type : directory traversal Remote : No Link : https://security.archlinux.org/AVG-2878 Summary ======= The package go before version 2:1.24.3-1 is vulnerable to directory traversal. Resolution ========== Upgrade to 2:1.24.3-1. # pacman -Syu "go>=2:1.24.3-1" The problem has been fixed upstream in version 1.24.3. Workaround ========== None. Description =========== It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. This behavior has been corrected to return an error for such paths. Impact ====== A local attacker or untrusted component running within a Go application could bypass directory confinement by accessing the parent directory of a restricted os.DirFS root using a "../" path. References ========== https://github.com/golang/go/issues/73555 https://go.dev/doc/devel/release#go1.24.3 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1 https://security.archlinux.org/CVE-2025-22873