CVE-2022-41720 is a high-severity path traversal vulnerability affecting the Go standard library's os package, specifically the os.DirFS function and the http.Dir type on Windows platforms. These functions are designed to provide read-only access to a subtree of the filesystem rooted at a specified directory. However, due to improper limitation of pathnames, they allow access to Windows device files (e.g., COM1) and, more critically, permit crafted paths to escape the intended root directory when the root is set to the drive root or an empty string. For example, os.DirFS("").Open("tmp") previously resolved to opening "/tmp" (the root directory), but this behavior was changed in the fix to return an error, preventing unintended access. The vulnerability arises because the functions do not adequately sanitize or restrict path traversal sequences, allowing an attacker to read arbitrary files or device files on the system. The vulnerability impacts Go versions up to 1.19.0-0 and is exploitable remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Although the access is read-only, the confidentiality impact is high since sensitive files or device files can be accessed. No known exploits are currently reported in the wild, but the ease of exploitation and potential impact warrant urgent attention. The fix involves changing the behavior of os.DirFS when the root is empty and improving path validation to prevent traversal outside the intended directory tree.

For European organizations, this vulnerability poses a significant confidentiality risk, especially for those developing or deploying Go applications on Windows servers or endpoints. Attackers could exploit this flaw to read sensitive configuration files, credentials, or other protected data, potentially leading to information disclosure or aiding further attacks. Since the vulnerability allows access to Windows device files, it could also be used to gather system information or interfere with device operations indirectly. Organizations relying on Go-based web servers or services that expose filesystem access via http.Dir or os.DirFS are particularly at risk. The read-only nature limits direct system compromise but does not eliminate the risk of data leakage. This could impact sectors with strict data protection requirements such as finance, healthcare, and government agencies across Europe. Additionally, organizations using automated build or deployment pipelines with vulnerable Go versions on Windows might inadvertently expose internal files. The lack of required authentication and user interaction increases the attack surface, making remote exploitation feasible if the vulnerable functionality is exposed over a network.

1. Upgrade all Go environments to version 1.19.1 or later where the vulnerability is patched. 2. Audit all Go codebases and dependencies to identify usage of os.DirFS and http.Dir, especially where the root directory is set to an empty string or the drive root on Windows. 3. Avoid using os.DirFS or http.Dir to expose filesystem trees rooted at sensitive or system directories. 4. Implement strict input validation and sanitization on any user-supplied paths before passing them to these functions. 5. Restrict network exposure of services that use http.Dir or os.DirFS to trusted internal networks only. 6. Employ runtime monitoring to detect unusual file access patterns indicative of path traversal attempts. 7. For critical systems, consider additional application-layer access controls or sandboxing to limit the impact of potential exploitation. 8. Review and update security policies and developer guidelines to discourage unsafe filesystem access patterns in Go applications on Windows.