CVE-2026-44973
Deferred Deferred - Pending Action
Path Traversal in Go Billy Filesystem Abstraction

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44973
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in go-billy, an interface filesystem abstraction for the Go programming language. Prior to version 5.9.0, multiple path traversal issues were present across different components of go-billy. Due to insufficient path sanitization and boundary enforcement, specially crafted paths using sequences like ".." could escape the intended base directories. Although go-billy was not originally designed to provide a strong security boundary, these inconsistencies in some built-in implementations could allow applications relying on go-billy for isolation to inadvertently expose access to unintended filesystem locations.

Impact Analysis

The vulnerability can allow an attacker to perform path traversal attacks, potentially accessing files and directories outside the intended scope of the application. This can lead to unauthorized disclosure of sensitive information or exposure of critical filesystem locations. Since the vulnerability allows crafted paths to escape base directories, applications relying on go-billy for isolation may inadvertently expose unintended filesystem locations, increasing the risk of data breaches or information leakage.

Mitigation Strategies

To mitigate this vulnerability, upgrade the go-billy library to version 5.9.0 or later, where the path traversal issues have been fixed.

Additionally, review any applications relying on go-billy for filesystem isolation to ensure they do not depend on it as a strong security boundary.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart