CVE-2026-44973
Description
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-git/go-billy/v5Go | < 5.9.0 | 5.9.0 |
github.com/go-git/go-billy/v6Go | < 6.0.0-alpha.1 | 6.0.0-alpha.1 |
Affected products
73- osv-coords72 versionspkg:apk/chainguard/amazon-ssm-agentpkg:apk/chainguard/amazon-ssm-agent-ecs-execpkg:apk/chainguard/argo-cd-3.1pkg:apk/chainguard/argo-cd-3.1-compatpkg:apk/chainguard/argo-cd-3.2pkg:apk/chainguard/argo-cd-3.2-compatpkg:apk/chainguard/argo-cd-fips-3.1pkg:apk/chainguard/argo-cd-fips-3.1-compatpkg:apk/chainguard/argo-cd-fips-3.2pkg:apk/chainguard/argo-cd-fips-3.2-compatpkg:apk/chainguard/argo-cd-fips-3.3pkg:apk/chainguard/argo-cd-fips-3.3-compatpkg:apk/chainguard/argo-cd-fips-3.4pkg:apk/chainguard/argo-cd-fips-3.4-compatpkg:apk/chainguard/cerbospkg:apk/chainguard/cerbosctlpkg:apk/chainguard/cerbosctl-fipspkg:apk/chainguard/cerbos-fipspkg:apk/chainguard/chainloop-clipkg:apk/chainguard/chainloop-cli-fipspkg:apk/chainguard/gitaly-18.10pkg:apk/chainguard/gitaly-18.11pkg:apk/chainguard/gitaly-18.9pkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kyverno-cli-fips-1.17pkg:apk/chainguard/nemopkg:apk/chainguard/packer-fipspkg:apk/chainguard/rancher-fleet-clipkg:apk/chainguard/rancher-fleet-cli-fipspkg:apk/chainguard/rancher-fleet-controllerpkg:apk/chainguard/rancher-fleet-controller-fipspkg:apk/chainguard/rclonepkg:apk/chainguard/rclone-fipspkg:apk/chainguard/scorecardpkg:apk/chainguard/seaweedfs-rocksdbpkg:apk/chainguard/seaweedfs-rocksdb-fipspkg:apk/chainguard/skaffold-fipspkg:apk/chainguard/syftpkg:apk/chainguard/syft-fipspkg:apk/chainguard/telegraf-1.37pkg:apk/chainguard/teleport-17pkg:apk/chainguard/teleport-18pkg:apk/chainguard/teleport-18.6pkg:apk/chainguard/terragruntpkg:apk/chainguard/terragrunt-fipspkg:apk/wolfi/argo-cd-3.1pkg:apk/wolfi/argo-cd-3.1-compatpkg:apk/wolfi/argo-cd-3.2pkg:apk/wolfi/argo-cd-3.2-compatpkg:apk/wolfi/cerbospkg:apk/wolfi/cerbosctlpkg:apk/wolfi/gitaly-18.10pkg:apk/wolfi/gitaly-18.11pkg:apk/wolfi/gitaly-18.9pkg:apk/wolfi/rancher-fleet-clipkg:apk/wolfi/rancher-fleet-controllerpkg:apk/wolfi/rclonepkg:apk/wolfi/scorecardpkg:apk/wolfi/syftpkg:apk/wolfi/telegraf-1.37pkg:apk/wolfi/teleport-17pkg:apk/wolfi/teleport-18pkg:apk/wolfi/teleport-18.6pkg:apk/wolfi/terragruntpkg:golang/github.com/go-git/go-billy/v5pkg:golang/github.com/go-git/go-billy/v6
< 3.3.4364.0-r1+ 71 more
- (no CPE)range: < 3.3.4364.0-r1
- (no CPE)range: < 3.3.4364.0-r1
- (no CPE)range: < 3.1.16-r3
- (no CPE)range: < 3.1.16-r3
- (no CPE)range: < 3.2.12-r1
- (no CPE)range: < 3.2.12-r1
- (no CPE)range: < 3.1.16-r1
- (no CPE)range: < 3.1.16-r1
- (no CPE)range: < 3.2.12-r2
- (no CPE)range: < 3.2.12-r2
- (no CPE)range: < 3.3.10-r2
- (no CPE)range: < 3.3.10-r2
- (no CPE)range: < 3.4.2-r2
- (no CPE)range: < 3.4.2-r2
- (no CPE)range: < 0.53.0-r3
- (no CPE)range: < 0.53.0-r3
- (no CPE)range: < 0.53.0-r1
- (no CPE)range: < 0.53.0-r1
- (no CPE)range: < 1.96.3-r1
- (no CPE)range: < 1.96.3-r1
- (no CPE)range: < 18.10.6-r2
- (no CPE)range: < 18.11.6-r3
- (no CPE)range: < 18.9.7-r2
- (no CPE)range: < 18.1.6-r12
- (no CPE)range: < 18.10.6-r1
- (no CPE)range: < 18.11.2-r3
- (no CPE)range: < 18.1.6-r12
- (no CPE)range: < 18.10.6-r1
- (no CPE)range: < 18.11.3-r1
- (no CPE)range: < 18.9.7-r1
- (no CPE)range: < 1.17.2-r4
- (no CPE)range: < 2.7.3-r4
- (no CPE)range: < 1.15.3-r4
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 1.74.1-r1
- (no CPE)range: < 1.74.1-r2
- (no CPE)range: < 5.5.0-r3
- (no CPE)range: < 4.30-r0
- (no CPE)range: < 4.30-r0
- (no CPE)range: < 2.20.0-r0
- (no CPE)range: < 1.44.0-r3
- (no CPE)range: < 1.44.0-r2
- (no CPE)range: < 1.37.3-r16
- (no CPE)range: < 17.7.24-r0
- (no CPE)range: < 18.8.2-r0
- (no CPE)range: < 18.6.8-r17
- (no CPE)range: < 1.0.5-r3
- (no CPE)range: < 1.0.1-r4
- (no CPE)range: < 3.1.16-r3
- (no CPE)range: < 3.1.16-r3
- (no CPE)range: < 3.2.12-r1
- (no CPE)range: < 3.2.12-r1
- (no CPE)range: < 0.53.0-r3
- (no CPE)range: < 0.53.0-r3
- (no CPE)range: < 18.10.6-r2
- (no CPE)range: < 18.11.6-r3
- (no CPE)range: < 18.9.7-r2
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 0.15.1-r3
- (no CPE)range: < 1.74.1-r1
- (no CPE)range: < 5.5.0-r3
- (no CPE)range: < 1.44.0-r3
- (no CPE)range: < 1.37.3-r16
- (no CPE)range: < 17.7.24-r0
- (no CPE)range: < 18.8.2-r0
- (no CPE)range: < 18.6.8-r17
- (no CPE)range: < 1.0.5-r3
- (no CPE)range: < 5.9.0
- (no CPE)range: < 6.0.0-alpha.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.