CVE-2025-0913

Aliases:GO-2025-3750BIT-golang-2025-0913

Advisory lineage Upstream: 0 Downstream: 11

Downstream

MGASA-2025-0184 OPENSUSE-SU-2025:15223-1 OPENSUSE-SU-2025:15224-1 OPENSUSE-SU-2025:15225-1 OPENSUSE-SU-2025:15586-1 SUSE-SU-2025:01846-1

Analyzed

Published: 11 Jun 2025, 17:17

Last modified:11 Jun 2025, 17:37

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.04% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

11 Jun 2025, 17:17

Published

Vulnerability first disclosed

11 Jun 2025, 17:37

Last Modified

Vulnerability information updated

Description

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.04%• Percentile: 12%

Techniques & Countermeasures

CWE-59•Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

go standard library•os
< 1.23.10 | ≥ 1.24.0-0, < 1.24.4
go standard library•syscall
< 1.23.10 | ≥ 1.24.0-0, < 1.24.4
golang•go
< 1.23.10 | ≥ 1.24.0, < 1.24.4
Go•stdlib
≥ 1.24.0-0, < 1.24.4