Every CVE whose affected-product data names Hashicorp Go-getter, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2024-3817 — CVSS 9.8 (critical): HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does…
CVE-2022-26945 — CVSS 9.8 (critical): go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response…
CVE-2022-30322 — CVSS 8.6 (high): go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1…
CVE-2022-30323 — CVSS 8.6 (high): go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321 — CVSS 8.6 (high): go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection…
CVE-2024-6257 — CVSS 8.4 (high): HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially…
CVE-2025-8959 — CVSS 7.5 (high): HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the…
CVE-2022-29810 — CVSS 5.5 (medium): The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
CVE-2023-0475 — CVSS 4.2 (medium): HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.