CVE-2025-22873

Published: Feb 4, 2026

Modified: Feb 5, 2026

PUBLISHED

Description

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Vendor	Product	Versions
Go standard library	os	affected `0 - < 1.23.9` affected `1.24.0-0 - < 1.24.3`

References

https://go.dev/cl/670036

https://go.dev/issue/73555

https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ

https://pkg.go.dev/vuln/GO-2026-4403

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-22873

Description

Affected Products

References