The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-8959

CVE-2025-8959: Hashicorp Go-getter Symlink Vulnerability

CVE-2025-8959 is an information disclosure flaw in Hashicorp Go-getter that allows symlink attacks for unauthorized read access beyond directory boundaries. This article covers technical details, affected versions, and mitigations.

Published: April 15, 2026

CVE-2025-8959 Overview

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability affects the widely-used go-getter library, which is commonly integrated into infrastructure-as-code tools and configuration management systems for downloading files and modules from various sources. By exploiting this symlink vulnerability, attackers can escape directory boundaries and read arbitrary files on the system.

Critical Impact

Attackers can leverage malicious symlinks within downloaded content to escape intended directory restrictions and gain unauthorized read access to sensitive files on the host system, potentially exposing configuration files, secrets, and other confidential data.

Affected Products

  • HashiCorp go-getter versions prior to 1.7.9
  • Applications and tools that integrate the vulnerable go-getter library
  • Infrastructure automation tools using go-getter for module/file downloads

Discovery Timeline

  • 2025-08-15 - CVE-2025-8959 published to NVD
  • 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2025-8959

Vulnerability Analysis

This vulnerability is classified as a Symlink Attack (CWE-59) affecting HashiCorp's go-getter library. The flaw resides in the subdirectory download feature, which fails to properly validate and sanitize symbolic links within downloaded content. When a user downloads content from an attacker-controlled source, the attacker can craft malicious symlinks that point to files or directories outside the intended download location.

The go-getter library is designed to facilitate downloading files and directories from various sources including Git repositories, HTTP endpoints, Amazon S3, and other storage systems. The subdirectory feature allows users to specify a particular directory within the downloaded content to extract. However, insufficient validation of symlinks within this subdirectory allows path traversal through symbolic link resolution.

Root Cause

The root cause of this vulnerability lies in the improper handling of symbolic links during the subdirectory extraction process. The go-getter library fails to verify that symlink targets remain within the expected directory boundaries. When processing downloaded content that contains symlinks, the library follows these links without checking whether the resolved path escapes the designated extraction directory. This allows an attacker to create symlinks pointing to sensitive files such as /etc/passwd, /etc/shadow, application configuration files, or private keys.

Attack Vector

The attack is network-based and requires no authentication or user interaction beyond initiating a download from an attacker-controlled source. An attacker can set up a malicious repository or file server containing crafted symlinks. When a victim uses go-getter to download and process content from this source, the symlinks are followed, granting the attacker read access to arbitrary files on the victim's system.

The attack scenario typically involves:

  1. An attacker creates a malicious source (e.g., Git repository) containing symlinks pointing to sensitive system files
  2. A victim application using go-getter downloads content from this source with subdirectory extraction enabled
  3. The go-getter library processes the symlinks without proper validation
  4. The attacker can retrieve sensitive file contents through the resolved symlink paths

For detailed technical information, refer to the HashiCorp Security Advisory HCSEC-2025-23.

Detection Methods for CVE-2025-8959

Indicators of Compromise

  • Unexpected symlinks in downloaded directories pointing to paths outside the extraction directory
  • Access log entries showing reads of sensitive files (e.g., /etc/passwd, configuration files) from go-getter processes
  • File system monitoring alerts indicating symbolic link creation in temporary download directories
  • Anomalous read access to sensitive system files from applications using go-getter

Detection Strategies

  • Monitor file system operations for symlink creation in go-getter working directories that point to paths outside expected boundaries
  • Implement application-level logging to track go-getter download sources and validate against known-good lists
  • Use security tools to detect path traversal attempts through symbolic link resolution
  • Audit dependency manifests to identify applications using vulnerable go-getter versions (prior to 1.7.9)

Monitoring Recommendations

  • Enable detailed logging for all go-getter operations including source URLs and extracted file paths
  • Configure file integrity monitoring (FIM) on sensitive system files to detect unauthorized access
  • Implement network monitoring to detect connections to suspicious or untrusted download sources
  • Set up alerts for any go-getter process attempting to read files outside designated download directories

How to Mitigate CVE-2025-8959

Immediate Actions Required

  • Upgrade go-getter to version 1.7.9 or later immediately
  • Audit all applications and dependencies that use go-getter to ensure they are using the patched version
  • Review recent downloads from external sources for suspicious symlinks
  • Implement network-level controls to restrict go-getter downloads to trusted sources only

Patch Information

HashiCorp has released go-getter version 1.7.9 which addresses this vulnerability. The fix includes proper validation of symbolic links during subdirectory extraction to ensure they do not resolve to paths outside the intended directory boundaries. Organizations should update to this version or later as soon as possible.

For complete patch details and upgrade instructions, see the HashiCorp Security Advisory HCSEC-2025-23.

Workarounds

  • Restrict go-getter downloads to trusted and verified sources only until patching is complete
  • Implement additional validation layers in applications to check for symlinks before processing downloaded content
  • Run go-getter operations in sandboxed environments with restricted file system access
  • Use chroot or container isolation to limit the scope of potential symlink traversal attacks
bash
# Verify go-getter version in your Go modules
go list -m github.com/hashicorp/go-getter

# Update to patched version
go get github.com/hashicorp/go-getter@v1.7.9

# Verify the update
go list -m github.com/hashicorp/go-getter

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechHashicorp Go Getter
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-59
  • Vendor Resources
  • HashiCorp Security Advisory HCSEC-2025-23
  • Related CVEs
  • CVE-2024-3817: Hashicorp Go-getter Argument Injection
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English