CVE-2022-26945

HIGH8.6EPSS 0.20%

Resource exhaustion in github.com/hashicorp/go-getter and related modules

Published: 5/26/2022Modified: 4/28/2026

Description

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

Affected packages (21)

Debian/golang-github-hashicorp-go-getterfrom 0
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Description

Affected packages (21)

CVSS scores

References (15)