go-billy Path Traversal Vulnerability (CVE-2026-44973) Advisory

Vulnerability Overview Path Traversal Vulnerability Description: Multiple path traversal issues exist in different components of . Due to insufficient path sanitization and boundary enforcement, attackers can escape the expected base directory by constructing malicious paths (e.g., using ). Impact: was not originally designed to provide strong security boundaries, and certain issues manifested inconsistently across different versions. This may lead to applications relying on inadvertently exposing untrusted filesystem locations under certain isolation levels. Specific Impacts: - The implementation is affected by this vulnerability. It has been deprecated in and removed in . Users should migrate to . - Users requiring stricter security boundary enforcement should upgrade to , where the implementation is backed by the traversal-resistant primitive . Affected Versions Affected Versions: - : < v5.9.0 - : < v6.0.0-alpha.1 Fixed Versions: - : v5.9.0 - : v6.0.0-alpha.1 Remediation Recommendation: Users should upgrade to the fixed versions to mitigate this vulnerability. - For , it is recommended to upgrade to or later. - For , it is recommended to upgrade to or later. Additional Information CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: None CVE ID: CVE-2026-44973 Weakness: CWE-22 Contributors: - faran6 - ymykmshr Acknowledgments: Thanks to faran6 and ymykmshr for discovering and reporting this issue privately.

Goal Reached Thanks to every supporter — we hit 100%!

go-billy Path Traversal Vulnerability (CVE-2026-44973) Advisory

More from this source