CVE-2026-44973— go-billy 路径遍历漏洞

Billy: Path traversal vulnerabilities

Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

对路径名的限制不恰当(路径遍历)

go-billy 路径遍历漏洞

go-billy是go-git开源的一个文件系统抽象接口库。 go-billy 5.9.0之前版本存在路径遍历漏洞，该漏洞源于多个组件中存在路径遍历问题，路径清理和边界执行不足可能导致访问意外文件系统位置。

N/A

N/A