Moderate severityNVD Advisory· Published Feb 16, 2023· Updated Mar 18, 2025
Go-Getter Vulnerable to Decompression Bombs
CVE-2023-0475
Description
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-getterGo | < 1.7.0 | 1.7.0 |
github.com/hashicorp/go-getter/v2Go | >= 2.0.0, < 2.2.0 | 2.2.0 |
Affected products
3- ghsa-coords2 versions
< 1.7.0+ 1 more
- (no CPE)range: < 1.7.0
- (no CPE)range: >= 2.0.0, < 2.2.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jpxj-2jvg-6jv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0475ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125ghsaWEB
- github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6ghsaWEB
- github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdcghsaWEB
News mentions
0No linked articles in our index yet.