CVE-2022-29810
Description
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Hashicorp go-getter library before version 1.5.11 fails to redact SSH keys from URL query parameters, potentially leaking sensitive credentials in logs or error messages.
Vulnerability
The Hashicorp go-getter library before version 1.5.11 does not redact an SSH key from a URL query parameter [1, 3]. When a URL contains an SSH key in the query string, such as ?sshkey=..., the library may return that value in error messages or other outputs without sanitization. This affects all versions prior to 1.5.11 [2]. The library is used by Terraform for downloading modules and Nomad for downloading binaries [1].
Exploitation
An attacker does not need direct network access to the library's host process. The exposure occurs when a caller of go-getter supplies a URL containing an SSH key query parameter, and the library returns error messages or other outputs that include the full URL. If those outputs are logged or persisted without sanitization, the SSH key can be leaked to anyone with access to those logs. The attacker's position could be an insider with log access, or a remote attacker who can trigger error conditions that cause vulnerable logging patterns [1].
Impact
Successful exploitation leads to disclosure of an SSH private key included in the URL query parameter. This compromises the confidentiality of the key, which an attacker could then use to authenticate to systems or services the key grants access to. The impact is limited to information disclosure, but the sensitive nature of SSH keys elevates the severity. The library's documentation notes that go-getter may return values containing caller-provided query parameters and recommends callers sanitize outputs [1].
Mitigation
Upgrade to go-getter version 1.5.11 or later [2]. This version was released on April 27, 2022 [3]. The fix ensures that SSH key query parameters are redacted from return values. No workaround is provided in the references; however, callers can sanitize go-getter outputs before logging or persisting them, as recommended in the library's security documentation [1]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-getterGo | < 1.5.11 | 1.5.11 |
Affected products
2- Hashicorp/go-getter librarydescription
Patches
136b68b2f68a3Redact SSH key from URL query parameter
3 files changed · +31 −3
.gitignore+1 −0 added@@ -0,0 +1 @@ +cmd/go-getter/go-getter
url.go+6 −1 modified@@ -13,7 +13,12 @@ func RedactURL(u *url.URL) string { ru := *u if _, has := ru.User.Password(); has { - ru.User = url.UserPassword(ru.User.Username(), "xxxxx") + ru.User = url.UserPassword(ru.User.Username(), "redacted") + } + q := ru.Query() + if q.Get("sshkey") != "" { + q.Set("sshkey", "redacted") + ru.RawQuery = q.Encode() } return ru.String() }
url_test.go+24 −2 modified@@ -19,7 +19,7 @@ func TestRedactURL(t *testing.T) { Path: "this:that", User: url.UserPassword("user", "password"), }, - want: "http://user:xxxxx@host.tld/this:that", + want: "http://user:redacted@host.tld/this:that", }, { name: "blank Password", @@ -39,7 +39,7 @@ func TestRedactURL(t *testing.T) { Path: "this:that", User: url.UserPassword("", "password"), }, - want: "http://:xxxxx@host.tld/this:that", + want: "http://:redacted@host.tld/this:that", }, { name: "blank Username, blank Password", @@ -60,6 +60,28 @@ func TestRedactURL(t *testing.T) { url: nil, want: "", }, + { + name: "non-blank SSH key in URL query parameter", + url: &url.URL{ + Scheme: "ssh", + User: url.User("git"), + Host: "github.com", + Path: "hashicorp/go-getter-test-private.git", + RawQuery: "sshkey=LS0tLS1CRUdJTiBPUE", + }, + want: "ssh://git@github.com/hashicorp/go-getter-test-private.git?sshkey=redacted", + }, + { + name: "blank SSH key in URL query parameter", + url: &url.URL{ + Scheme: "ssh", + User: url.User("git"), + Host: "github.com", + Path: "hashicorp/go-getter-test-private.git", + RawQuery: "sshkey=", + }, + want: "ssh://git@github.com/hashicorp/go-getter-test-private.git?sshkey=", + }, } for _, tt := range cases {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-27rq-4943-qcwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29810ghsaADVISORY
- github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49ccghsax_refsource_MISCWEB
- github.com/hashicorp/go-getter/pull/348ghsax_refsource_MISCWEB
- github.com/hashicorp/go-getter/releases/tag/v1.5.11ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0438ghsaWEB
News mentions
0No linked articles in our index yet.