CVE-2019-25073: Goa vulnerable to path traversal
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30975%
CWE
Published
12/28/2022
Updated
3/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/goadesign/goa | go | < 1.4.3 | 1.4.3 |
goa.design/goa | go | < 1.4.3 | 1.4.3 |
goa.design/goa/v3 | go | < 3.0.9 | 3.0.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The GitHub commit explicitly modifies FileHandler to add path traversal checks
- The vulnerability description directly references improper path sanitization in file handlers
- The Go vulnerability report (GO-2020-0032) lists Controller.FileHandler as an affected symbol
- The CWE-22 classification matches the pattern of missing path validation in file serving functions
- The patch adds 'attemptsPathTraversal' validation specifically to FileHandler's execution flow