CVE-2025-0913

Publication date 11 June 2025

Last updated 12 June 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Read the notes from the security team

Status

Package Ubuntu Release Status
golang 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
golang-1.10 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic Ignored Windows Only
16.04 LTS xenial Ignored Windows Only
14.04 LTS trusty Ignored Windows Only
golang-1.13 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Ignored Windows Only
20.04 LTS focal Ignored Windows Only
18.04 LTS bionic Ignored Windows Only
16.04 LTS xenial Ignored Windows Only
golang-1.14 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Ignored Windows Only
golang-1.16 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Ignored Windows Only
18.04 LTS bionic Ignored Windows Only
golang-1.17 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Ignored Windows Only
golang-1.18 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Ignored Windows Only
18.04 LTS bionic Ignored Windows Only
16.04 LTS xenial Ignored Windows Only
golang-1.20 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Ignored Windows Only
golang-1.21 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Ignored Windows Only
22.04 LTS jammy Ignored Windows Only
golang-1.22 25.04 plucky Not in release
24.10 oracular Ignored Windows Only
24.04 LTS noble Ignored Windows Only
22.04 LTS jammy Ignored Windows Only
golang-1.23 25.04 plucky Ignored Windows Only
24.10 oracular Ignored Windows Only
24.04 LTS noble Ignored Windows Only
22.04 LTS jammy Ignored Windows Only
golang-1.24 25.04 plucky Ignored Windows Only
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
golang-1.6 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial Ignored Windows Only
golang-1.8 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic Ignored Windows Only
golang-1.9 25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic Ignored Windows Only

Notes

rodrigo-zaiden

this issue only affects Go on Windows

mdeslaur

Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang.

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N