Low severityOSV Advisory· Published Nov 20, 2025· Updated Apr 15, 2026

CVE-2025-13425

Description

A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/google/osv-scalibrGo	< 0.3.4	0.3.4

Affected products

Google/Osv ScalibrOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

e67c4e198ca0

Fix array overindexing bug in diriterate when using the fallback method on empty dirs.

https://github.com/google/osv-scalibrErik VargaSep 10, 2025via ghsa

commit

1 file changed · +6 −1

fs/diriterate/diriterate.go+6 −1 modified

@@ -63,14 +63,19 @@ type DirIterator struct {
 // Next returns the next fs.DirEntry from the directory. If error is nil, there will be a
 // fs.DirEntry returned.
 func (i *DirIterator) Next() (fs.DirEntry, error) {
-	if i.files != nil {
+	if len(i.files) > 0 {
 		if i.curr >= len(i.files) {
 			return nil, io.EOF
 		}
 		i.curr++
 		return i.files[i.curr-1], nil
 	}
 
+	if i.dir == nil {
+		// This is an iterator for an empty directory, so we return EOF immediately.
+		return nil, io.EOF
+	}
+
 	list, err := i.dir.ReadDir(1)
 	if err != nil {
 		return nil, err

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f786-75f3-74xjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-13425ghsaADVISORY
github.com/google/osv-scalibr/commit/e67c4e198ca099cb7c16957a80f6c5331d90a672nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000