Search for vulnerabilities
Vulnerability details: VCID-2hrd-ctwd-zkau
Vulnerability ID VCID-2hrd-ctwd-zkau
Aliases CVE-2025-0913
Summary os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-59 Improper Link Resolution Before File Access ('Link Following')
System Score Found at
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-0913
cvssv3.1 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.5 https://go.dev/cl/672396
ssvc Track https://go.dev/cl/672396
cvssv3.1 5.5 https://go.dev/issue/73702
ssvc Track https://go.dev/issue/73702
cvssv3.1 5.5 https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
ssvc Track https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
cvssv3.1 5.5 https://pkg.go.dev/vuln/GO-2025-3750
ssvc Track https://pkg.go.dev/vuln/GO-2025-3750
archlinux Medium https://security.archlinux.org/AVG-2896
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-0913
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
672396 https://go.dev/cl/672396
73702 https://go.dev/issue/73702
AVG-2896 https://security.archlinux.org/AVG-2896
CVE-2025-0913 https://nvd.nist.gov/vuln/detail/CVE-2025-0913
GO-2025-3750 https://pkg.go.dev/vuln/GO-2025-3750
ufZ8WpEsA3A https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://go.dev/cl/672396
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:35:44Z/ Found at https://go.dev/cl/672396
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://go.dev/issue/73702
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:35:44Z/ Found at https://go.dev/issue/73702
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:35:44Z/ Found at https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://pkg.go.dev/vuln/GO-2025-3750
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-11T17:35:44Z/ Found at https://pkg.go.dev/vuln/GO-2025-3750
Exploit Prediction Scoring System (EPSS)
Percentile 0.01132
EPSS Score 0.00012
Published At June 12, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-06-05T22:43:42.212289+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 36.1.0