CVE-2025-0913 — Alpine Security Tracker

CVE-2025-0913

Name

CVE-2025-0913

Description

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
security@golang.org	https://go.dev/cl/672396
security@golang.org	https://go.dev/issue/73702
security@golang.org	https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
security@golang.org	https://pkg.go.dev/vuln/GO-2025-3750

Type

URI

security@golang.org

https://go.dev/cl/672396

security@golang.org

https://go.dev/issue/73702

security@golang.org

https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A

security@golang.org

https://pkg.go.dev/vuln/GO-2025-3750

Match rules

CPE URI	Source package	Min version	Max version
	syscall	>= 0	< 1.23.10
	syscall	>= 1.24.0-0	< 1.24.4
	os	>= 0	< 1.23.10
	os	>= 1.24.0-0	< 1.24.4
`cpe:2.3:a:golang:go::::::::`	go	>= None	< 1.23.10
`cpe:2.3:a:golang:go::::::::`	go	>= 1.24.0	< 1.24.4

CPE URI

Source package

Min version

Max version

syscall

>= 0

< 1.23.10

syscall

>= 1.24.0-0

< 1.24.4

>= 0

< 1.23.10

>= 1.24.0-0

< 1.24.4

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= None

< 1.23.10

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= 1.24.0

< 1.24.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
go	edge-community	1.24.4-r0	fossdd <fossdd@pwned.life>	fixed
go	edge-community	1.24.3-r1	None	possibly vulnerable
go	edge-community	1.24.3-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.24.2-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.24.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.24.1-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.24.1-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.24.0-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.23.6-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.23.5-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.23.4-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	edge-community	1.23.3-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
go	3.22-community	1.24.4-r0	None	fixed
go	3.22-community	1.23.9-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

edge-community

1.24.4-r0

fossdd <fossdd@pwned.life>

fixed

edge-community

1.24.3-r1

None