go-getter patches Git URL injection enabling arbitrary file reads
TL;DR — A maliciously crafted Git URL can make HashiCorp’s go-getter perform unintended host filesystem reads during certain Git operations; patching closes a practical supply-chain ingestion risk.
What happened
go-getter is a Go library (maintained by HashiCorp) used to download files/directories from multiple backends using a URL as the primary input, and it is commonly embedded into other tooling that “fetches code by URL.”
CVE-2026-4660 reports that go-getter up to v1.8.5 may allow arbitrary file reads on the local filesystem during certain Git operations via a maliciously crafted URL. HashiCorp’s bulletin explains the mechanism as Git argument injection when go-getter shells out to the git binary and checks the remote repository’s default branch HEAD if a Git reference is not explicitly provided.
| Item | Source value |
|---|---|
| Affected software | github.com/hashicorp/go-getter |
| Impact (per bulletin/CVE) | Arbitrary filesystem reads through certain Git operations via a crafted URL |
| Severity | CVSS v3.1 7.5 (High) |
| Affected versions | < 1.8.6 ("up to v1.8.5") |
| Patched version | 1.8.6 |
| Not affected | go-getter/v2 branch/package |
This is a high-signal class of issue because it targets the “fetch inputs by URL” pattern that sits on critical trust boundaries (CI jobs, module/template fetchers, bootstrap scripts), where attacker influence over a URL can become a direct read primitive on the runner/host.
Who is impacted
- Any application or platform component that uses
go-getter < 1.8.6. - Higher-risk consumers that accept attacker-influenced Git URLs (directly or indirectly) and run
go-getterin environments where local filesystem contents are sensitive (CI runners, build agents, shared automation hosts). - Teams that assumed “URL fetch” operations are isolated from host filesystem reads during Git checkout/update flows.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.8.6 or later."
- Inventory where
go-getteris present (Go module deps, internal tooling, build images) and prioritize patching internet-facing or multi-tenant automation paths first. - Reduce exposure by tightening who/what can supply Git URLs into automation, and review any workflows that dynamically fetch code from untrusted sources.
Additional Information
- HashiCorp bulletin (HCSEC-2026-04): https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.