Skip to main content

Ubuntu CVE-2025-0913

| EUVDEUVD-2025-18139 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2025-06-11 security@golang.org
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18139
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
CVE Published
Jun 11, 2025 - 18:15 nvd
MEDIUM 5.5

DescriptionCVE.org

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Analysis

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Technical ContextAI

This vulnerability is classified as Improper Link Resolution Before File Access (CWE-59).

RemediationAI

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

More in Go

View all
CVE-2016-5386 HIGH
8.1 Jul 19

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and there

CVE-2025-68121 CRITICAL POC
10.0 Feb 05

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mu

CVE-2019-14809 CRITICAL POC
9.8 Aug 13

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization by

CVE-2018-7187 HIGH POC
8.8 Feb 16

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import pa

CVE-2015-5739 CRITICAL
9.8 Oct 18

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allow

CVE-2020-0601 HIGH POC
8.1 Jan 14

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) c

CVE-2019-9634 HIGH POC
7.8 Mar 08

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Rated high severity (CVS

CVE-2018-6574 HIGH POC
7.8 Feb 07

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command executi

CVE-2025-61726 HIGH POC
7.5 Jan 28

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p

CVE-2022-2880 HIGH POC
7.5 Oct 14

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable param

CVE-2022-32189 HIGH POC
7.5 Aug 10

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and

CVE-2022-30634 HIGH POC
7.5 Jul 15

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite h

Vendor StatusVendor

Ubuntu

Priority: Medium
golang
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.6
Release Status Version
xenial ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.8
Release Status Version
bionic ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.9
Release Status Version
bionic ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.10
Release Status Version
trusty ignored Windows Only
xenial ignored Windows Only
bionic ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.13
Release Status Version
xenial ignored Windows Only
bionic ignored Windows Only
focal ignored Windows Only
jammy ignored Windows Only
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.14
Release Status Version
focal ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.16
Release Status Version
bionic ignored Windows Only
focal ignored Windows Only
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.17
Release Status Version
jammy ignored Windows Only
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
golang-1.18
Release Status Version
xenial ignored Windows Only
bionic ignored Windows Only
jammy ignored Windows Only
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.20
Release Status Version
jammy ignored Windows Only
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.21
Release Status Version
jammy ignored Windows Only
noble ignored Windows Only
oracular DNE -
plucky DNE -
upstream needs-triage -
focal needs-triage -
questing DNE -
golang-1.22
Release Status Version
jammy ignored Windows Only
noble ignored Windows Only
plucky DNE -
upstream needs-triage -
oracular ignored end of life, was ignored [Windows Only]
focal needs-triage -
questing DNE -
golang-1.23
Release Status Version
jammy ignored Windows Only
noble ignored Windows Only
upstream needs-triage -
oracular ignored end of life, was ignored [Windows Only]
questing ignored Windows Only
plucky ignored end of life, was ignored [Windows Only]
golang-1.24
Release Status Version
oracular DNE -
upstream needs-triage -
jammy needs-triage -
noble needs-triage -
questing ignored Windows Only
plucky ignored end of life, was ignored [Windows Only]

Debian

golang-1.15
Release Status Fixed Version Urgency
bullseye fixed 1.15.15-1~deb11u4 -
(unstable) not-affected - -
golang-1.19
Release Status Fixed Version Urgency
bookworm fixed 1.19.8-2 -
(unstable) not-affected - -
golang-1.24
Release Status Fixed Version Urgency
trixie fixed 1.24.4-1 -
forky, sid fixed 1.24.13-2 -
(unstable) not-affected - -
golang-1.23
Release Status Fixed Version Urgency
(unstable) not-affected - -

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-4.31 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-4.26 Image SL-Micro Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-4.27 Container suse/sl-micro/6.0/rt-os-container:2.1.3-5.25 Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.1 Affected
SUSE Enterprise Storage 7.1 Fixed

Share

CVE-2025-0913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy