Improper access to parent directory of root in os

GO-2026-4403 · BIT-golang-2025-22873 · CVE-2025-22873

Published Feb 4, 2026 · Modified May 15, 2026

Description

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

References

FIX https://go.dev/cl/670036
REPORT https://go.dev/issue/73555
WEB https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes