vulnerability

Arch Linux: Directory traversal (CVE-2025-22873)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
2	(AV:L/AC:L/Au:S/C:P/I:N/A:N)	Feb 4, 2026	Feb 6, 2026	Feb 9, 2026

Severity

CVSS

(AV:L/AC:L/Au:S/C:P/I:N/A:N)

Published

Feb 4, 2026

Added

Feb 6, 2026

Modified

Feb 9, 2026

Description

It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory.

This behavior has been corrected to return an error for such paths.

Solution

arch-linux-upgrade-latest

References

CVE-2025-22873
https://attackerkb.com/topics/CVE-2025-22873
URL-https://go.dev/cl/670036
URL-https://go.dev/issue/73555
URL-https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ
URL-https://pkg.go.dev/vuln/GO-2026-4403
URL-https://security.archlinux.org/ASA-202505-12
CWE-23

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today