CVE-2025-0913
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-08-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.25.0 (inc) to 1.25.2 (inc) |
| golang | go | From 1.25.0 (inc) to 1.25.2 (inc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-0913 is a security vulnerability in the Go programming language's os.OpenFile function when used with the flags O_CREATE and O_EXCL on dangling symbolic links (symlinks). On Unix systems, OpenFile correctly returns an error if the target path is a symlink, preventing file creation. However, on Windows, if the target path is a symlink pointing to a nonexistent location, OpenFile incorrectly creates a new file at that location. This inconsistency can lead to unintended file creation on Windows. The vulnerability has been fixed by making OpenFile always return an error when both O_CREATE and O_EXCL flags are set and the target path is a symlink, ensuring consistent behavior across platforms. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unintended file creation on Windows systems when using Go's os.OpenFile function with O_CREATE and O_EXCL flags on dangling symlinks. This may cause security issues such as unauthorized file creation or manipulation, potentially impacting application behavior or security by allowing files to be created in unexpected locations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to the behavior of the Go language's os.OpenFile function when used with the flags os.O_CREATE|os.O_EXCL on dangling symlinks, particularly on Windows systems. To detect if your system or application is affected, you can check the Go version used in your environment to see if it falls within the vulnerable versions (before Go 1.23.10 and from Go 1.24.0-0 up to before Go 1.24.4). Additionally, you can test for the vulnerability by attempting to create a file using os.OpenFile with O_CREATE and O_EXCL flags on a dangling symlink path and observe if the file is incorrectly created (which indicates vulnerability). There are no specific network detection commands provided. For system-level checks, you can run Go version commands such as `go version` to identify the Go runtime version. To test the behavior, you might write a small Go program that attempts to open a dangling symlink with these flags and observe the result. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Go runtime and standard library to a fixed version where this vulnerability is addressed. Specifically, update to Go version 1.24.4 or later, or any version after 1.23.10 that includes the fix. This update modifies os.OpenFile to always return an error when both O_CREATE and O_EXCL flags are set and the target path is a symlink, ensuring consistent and secure behavior across platforms. Until the update is applied, avoid using os.OpenFile with O_CREATE|O_EXCL flags on paths that may be dangling symlinks, especially on Windows systems. [2]