CVE-2022-41720

Name: CVE-2022-41720
Creator: NVD / NIST
Published: 2022-12-07T17:15:10.293+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.19%

Last modified Jun 17, 2026

CVE-2022-41720 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. EPSS estimates a 1.19% chance of exploitation in the next 30 days.

Description

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.19%

64.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Golang	Go	< 1.18.9
Golang	Go	>= 1.19.0, < 1.19.4

References

https://go.dev/cl/455716Patch, Vendor Advisory
https://go.dev/issue/56694Issue Tracking, Vendor Advisory
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJPatch, Release Notes, Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-1143Patch, Vendor Advisory
https://go.dev/cl/455716Patch, Vendor Advisory
https://go.dev/issue/56694Issue Tracking, Vendor Advisory
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJPatch, Release Notes, Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-1143Patch, Vendor Advisory

Timeline

Published: Dec 7, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-41720?

How severe is CVE-2022-41720?

CVE-2022-41720 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.19% probability of exploitation in the next 30 days.

How do I fix CVE-2022-41720?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-41720?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST