Product
hashicorp go getter
9 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-8959
CVE-2024-6257
CVE-2024-3817
CVE-2023-0475
CVE-2022-30323
CVE-2022-30322
CVE-2022-30321
CVE-2022-26945
CVE-2022-29810
< 1.7.9
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access b
< 1.7.5
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, po
>= 1.5.9 and < 1.7.4
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnera
<= 1.6.2
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
<= 1.5.11
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
<= 1.5.11
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed i
<= 1.5.11
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injec
<= 1.5.11
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP r
< 1.5.11
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.