PT-2026-41151 · Go-Billy · Go-Billy
Published
2026-05-14
·
Updated
2026-05-28
·
CVE-2026-44973
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
go-billy versions prior to 5.9.0
Description
Multiple path traversal issues exist across different components of the software due to insufficient path sanitization and boundary enforcement. This allows crafted paths, such as those using
.., to escape intended base directories. Consequently, applications relying on the software for isolation may inadvertently expose access to unintended filesystem locations. The osfs.ChrootOS implementation is notably affected.Recommendations
Update to version 5.9.0 or later.
As a temporary mitigation, replace the
osfs.ChrootOS implementation with osfs.BoundOS using osfs.New(path, WithBoundOS()).
For stronger security boundary enforcement, upgrade to version 6, where osfs implementations are backed by the os.Root primitive.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Go-Billy