{"id":"GO-2022-0190","summary":"Directory traversal via \"go get\" command in cmd/go","details":"The \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters).\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.","aliases":["CVE-2018-16874"],"modified":"2026-03-17T04:06:09.734552Z","published":"2022-08-02T15:44:23Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0190"},"references":[{"type":"FIX","url":"https://go.dev/cl/154101"},{"type":"FIX","url":"https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"},{"type":"REPORT","url":"https://go.dev/issue/29230"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"1.11.0-0"},{"fixed":"1.11.3"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go/internal/get","symbols":["downloadPackage"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0190.json"}}],"schema_version":"1.7.5","credits":[{"name":"ztz of Tencent Security Platform"}]}