Go os Package Directory Traversal Vulnerability in Root Access

A directory traversal vulnerability has been identified in the Go programming language's os package, specifically in versions prior to 1.24.3. This vulnerability allows improper access to the parent directory of an os.Root by opening a filename that ends with '../'. For instance, using Root.Open('../') would access the parent directory. However, this escape only enables access to the immediate parent directory, not to its ancestors or any files within it. The issue was reported by Dan Sebastian Thrane of SDU eScience Center.

Impact

Exploitation of this vulnerability allows for improper directory traversal, enabling access to the parent directory of an os.Root, which could lead to unauthorized file access or manipulation.

Reproduction

To reproduce this vulnerability, use Go versions prior to 1.24.3. Open a file using the Root.Open() method with a filename that includes a path traversal sequence, such as '../'. This will access the parent directory of the Root, demonstrating the improper directory traversal.

Remediation

Users can upgrade to Go version 1.24.3 or 1.23.9, both of which include the necessary security fix. Instructions for downloading these versions are available on the Go website.