EUVD-2025-18139
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Analysis
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Technical Context
This vulnerability is classified as Improper Link Resolution Before File Access (CWE-59).
Affected Products
Affected products: Golang Go
Remediation
Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| xenial | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| trusty | ignored | Windows Only |
| xenial | ignored | Windows Only |
| bionic | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| xenial | ignored | Windows Only |
| bionic | ignored | Windows Only |
| focal | ignored | Windows Only |
| jammy | ignored | Windows Only |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| focal | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | Windows Only |
| focal | ignored | Windows Only |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | Windows Only |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| xenial | ignored | Windows Only |
| bionic | ignored | Windows Only |
| jammy | ignored | Windows Only |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| focal | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | Windows Only |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| focal | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | Windows Only |
| noble | ignored | Windows Only |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| focal | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | Windows Only |
| noble | ignored | Windows Only |
| plucky | DNE | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was ignored [Windows Only] |
| focal | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | Windows Only |
| noble | ignored | Windows Only |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was ignored [Windows Only] |
| questing | ignored | Windows Only |
| plucky | ignored | end of life, was ignored [Windows Only] |
| Release | Status | Version |
|---|---|---|
| oracular | DNE | - |
| upstream | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | ignored | Windows Only |
| plucky | ignored | end of life, was ignored [Windows Only] |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1.15.15-1~deb11u4 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | fixed | 1.19.8-2 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | fixed | 1.24.4-1 | - |
| forky, sid | fixed | 1.24.13-2 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today