Skip to main content

go-billy CVE-2026-44973

HIGH
Path Traversal (CWE-22)
2026-05-14 https://github.com/go-git/go-billy GHSA-qw64-3x98-g7q2
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 19:01 vuln.today
Analysis Generated
May 14, 2026 - 19:01 vuln.today
CVE Published
May 14, 2026 - 18:25 nvd
HIGH 8.1

DescriptionGitHub Advisory

Impact

Multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations.

The osfs.ChrootOS implementation is notably affected by this vulnerability and is now deprecated in v5, removed at v6. Users are recommended to move on to osfs.BoundOS instead: osfs.New(path, WithBoundOS()).

Users requiring stronger security boundary enforcement are recommended to upgrade to v6, where the osfs implementation are backed by the traversal-resistant primitive os.Root.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.

Credits

Thanks to @faran66 and @vnykmshr for finding and separately reporting this issue privately to the go-git project. 🙇

AnalysisAI

Path traversal vulnerabilities in go-billy (Go filesystem abstraction library) allow authenticated attackers with network access to escape intended directory boundaries and access arbitrary filesystem locations. The vulnerability affects all versions prior to v5.9.0 and v6.0.0-alpha.1, with the osfs.ChrootOS implementation particularly impacted due to insufficient path sanitization of dot-dot-slash sequences. Applications using go-billy for filesystem isolation are at risk of unauthorized file access. Vendor has released patches in v5.9.0 and v6.0.0-alpha.1, with ChrootOS deprecated in v5 and removed in v6 in favor of the new BoundOS implementation backed by Go's traversal-resistant os.Root primitive. No public exploit identified at time of analysis, but CVSS 8.1 reflects high confidentiality and integrity impact.

Technical ContextAI

go-billy is a filesystem abstraction library for Go, commonly used in the go-git project and other applications requiring virtual filesystem operations. The vulnerability stems from CWE-22 (path traversal) - inadequate validation of user-supplied file paths before filesystem operations. Specifically, the library's path sanitization failed to properly neutralize dot-dot-slash (../) sequences and enforce boundary constraints across different built-in implementations including osfs.ChrootOS. The affected packages are github.com/go-git/go-billy/v5 and v6. The v6 remediation leverages Go 1.23's new os.Root API, which provides kernel-level protection against traversal attacks through file descriptor-based directory containment, eliminating TOCTOU races and symbolic link escape vectors that plagued filepath.Clean-based approaches. The inconsistency across go-billy's implementations meant that applications could not reliably trust the library's isolation guarantees, even when using components explicitly designed for chroot-like behavior.

RemediationAI

Upgrade to patched versions: go-billy v5.9.0 for v5 users or v6.0.0-alpha.1 for v6 early adopters, as confirmed by GitHub advisory GHSA-qw64-3x98-g7q2 and release notes at https://github.com/go-git/go-billy/releases/tag/v5.9.0 and https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1. For v5 users, immediately migrate from osfs.ChrootOS (now deprecated) to osfs.BoundOS by changing initialization to osfs.New(path, WithBoundOS()) - this provides improved boundary enforcement without requiring major version upgrade. For strongest security posture, migrate to v6 stable when available, which uses Go 1.23's os.Root primitive for kernel-backed traversal protection with file descriptor isolation that eliminates TOCTOU and symlink escape risks. If immediate upgrade is not feasible, implement application-level path validation before passing user-controlled paths to go-billy operations: explicitly reject any path containing dot-dot sequences, validate against an allowlist of permitted directories, and resolve paths to absolute form before comparison against base directory boundaries. Note that application-level validation is a temporary workaround only - the library-level fix is required for comprehensive protection as path sanitization must occur at the filesystem abstraction layer. Review all code using go-billy to identify whether it relies on the library for security isolation versus mere abstraction, and prioritize upgrades accordingly.

Share

CVE-2026-44973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy