HCSEC-2023-04

**Bulletin ID:** HCSEC-2023-04 **Affected Products / Versions:** go-getter up to 1.6.2 and 2.1.1; fixed in 1.7.0 and 2.2.0. **Publication Date:** February 13, 2023** **Summary** HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0. **Background** HashiCorp’s [go-getter](https://github.com/hashicorp/go-getter) is a Go library for downloading files or directories from various sources using a URL as the primary form of input. **Details** During internal testing, we observed that it was possible to reliably crash the go-getter library using a maliciously crafted compressed archive. This requires an attacker to have access to provide malicious URL inputs to the library using a decompressor. Exposure of this issue will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter. **Remediation** Consumers of the go-getter library should evaluate the risk associated with this issue in the context of their go-getter usage and consider upgrading to go-getter 1.7.0 and 2.2.0, or newer. Review and consider using new configuration options for go-getter decompressors (FileSizeLimit and FilesLimit) to address exposure. **Acknowledgement** This issue was identified by HashiCorp’s Partner Solution engineering team. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*