CVE-2022-41720

Name of the Vulnerable Software and Affected Versions Go versions prior to the fixed version

Description The issue allows restricted files to be accessed via os.DirFS and http.Dir on Windows. These functions provide access to a tree of files rooted at a given directory and permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. Additionally, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed with the fix applied, previously treating an empty root equivalently to "/", and now returning an error.

Recommendations For Go versions prior to the fixed version, consider applying the fix to change the behavior of os.DirFS("") to return an error instead of treating it equivalently to "/". As a temporary workaround, restrict the use of os.DirFS and http.Dir to minimize the risk of exploitation. Avoid using os.DirFS with empty roots or maliciously crafted paths until the issue is resolved.