Skip to content

fix: update go-getter to v1.7.9 to address CVE-2025-8959#328

Open
ona-security-engineer wants to merge 1 commit intomainfrom
jonas/JONAS-78-fix
Open

fix: update go-getter to v1.7.9 to address CVE-2025-8959#328
ona-security-engineer wants to merge 1 commit intomainfrom
jonas/JONAS-78-fix

Conversation

@ona-security-engineer
Copy link

@ona-security-engineer ona-security-engineer commented Jan 19, 2026

Automated security fix by Ona Agent.

Summary

Update github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 to address CVE-2025-8959.

Vulnerability Details

  • CVE: CVE-2025-8959
  • Severity: HIGH
  • Package: github.com/hashicorp/go-getter
  • Affected Version: v1.7.8
  • Fixed Version: v1.7.9

The vulnerability allows symlink attacks in go-getter's subdirectory download feature, potentially leading to unauthorized read access beyond designated directory boundaries.

Changes

  • Updated github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 in go.mod
  • Updated go.sum checksums

Testing

  • ✅ All tests pass (go test ./... -short)

Notes

This fix was previously applied in PR #238 but was inadvertently reverted in commit 2b160b2 during a dependency revert for the v0.13.0 release.

Resolves JONAS-78

@ona-security-engineer @ona-agent
fix: update go-getter to v1.7.9 to address CVE-2025-8959
13fca41 
Update github.com/hashicorp/go-getter from v1.7.8 to v1.7.9 to fix a
symlink attack vulnerability in the subdirectory download feature.

Co-authored-by: Ona <no-reply@ona.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ona-security-engineer