HCSEC-2025-23

**Bulletin ID:** HCSEC-2025-23 **Affected Products / Versions:** go-getter up to 1.7.8; fixed in go-getter 1.7.9. **Publication Date:** Aug 15, 2025 **Summary** HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. **Background** HashiCorp’s [go-getter](https://github.com/hashicorp/go-getter) is a library for Go for downloading files or directories from various sources using a URL as the primary form of input. **Details** Using go-getter to download a specific subdirectories from a fetched source is prone to symlink attacks. This occurs when a symbolic link present in the source repository is followed during content extraction into the designated local subdirectory, enabling unauthorized read access beyond intended boundaries across the filesystem. **Remediation** Consumers of the go-getter library downloading files via a subdirectory should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.9 or later. The latest go-getter releases can be found at [https://github.com/hashicorp/go-getter/releases](https://github.com/hashicorp/go-getter/releases). **Acknowledgement** This issue was identified by the Product Security team at HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*