HashiCorp Go Getter
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in HashiCorp Go Getter.
By the Year
In 2026 there have been 0 vulnerabilities in HashiCorp Go Getter. Last year, in 2025 Go Getter had 1 security vulnerability published. Right now, Go Getter is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 2 | 0.00 |
| 2023 | 1 | 6.50 |
| 2022 | 5 | 8.22 |
It may take a day or so for new Go Getter vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Go Getter Security Vulnerabilities
HashiCorp go-getter 1.7.9: Symlink attack in subdirectory download
CVE-2025-8959
- August 15, 2025
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
HashiCorp go-getter arbitrary code exec via coerced Git update
CVE-2024-6257
- June 25, 2024
HashiCorps go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
HashiCorp Go-getter Arg Injection via Git
CVE-2024-3817
- April 17, 2024
HashiCorps go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
HashiCorp go-getter v 1.6.2 & 2.1.1 decompression bomb
CVE-2023-0475
6.5 - Medium
- February 16, 2023
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
go-getter up to 1.5.11 and 2.0.2
CVE-2022-26945
9.8 - Critical
- May 25, 2022
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files
CVE-2022-30323
8.6 - High
- May 25, 2022
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses
CVE-2022-30322
8.6 - High
- May 25, 2022
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
go-getter up to 1.5.11 and 2.0.2
CVE-2022-30321
8.6 - High
- May 25, 2022
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
Directory traversal
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key
CVE-2022-29810
5.5 - Medium
- April 27, 2022
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
Insertion of Sensitive Information into Log File
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Go Getter or by HashiCorp? Click the Watch button to subscribe.
