Skip to content

fix: update go-getter to v1.7.9 to address CVE-2025-8959 #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ona-security-engineer wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: update go-getter to v1.7.9 to address CVE-2025-8959 #328

ona-security-engineer wants to merge 1 commit into from

Conversation

@ona-security-engineer
Copy link

@ona-security-engineer ona-security-engineer commented Jan 19, 2026

Automated security fix by Ona Agent.

Summary

Update github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 to address CVE-2025-8959.

Vulnerability Details

  • CVE: CVE-2025-8959
  • Severity: HIGH
  • Package: github.com/hashicorp/go-getter
  • Affected Version: v1.7.8
  • Fixed Version: v1.7.9

The vulnerability allows symlink attacks in go-getter's subdirectory download feature, potentially leading to unauthorized read access beyond designated directory boundaries.

Changes

  • Updated github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 in go.mod
  • Updated go.sum checksums

Testing

  • ✅ All tests pass (go test ./... -short)

Notes

This fix was previously applied in PR #238 but was inadvertently reverted in commit 2b160b2 during a dependency revert for the v0.13.0 release.

Resolves JONAS-78

@ona-security-engineer @ona-agent
fix: update go-getter to v1.7.9 to address CVE-2025-8959
13fca41 
Update github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 to fix a
symlink attack vulnerability in the subdirectory download feature.

Co-authored-by: Ona <no-reply@ona.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ona-security-engineer