CVE-2025-0913 is a medium-severity vulnerability in the Go standard library's syscall package, specifically related to the os.OpenFile function's handling of symbolic links (symlinks) when used with the O_CREATE and O_EXCL flags. The vulnerability arises from inconsistent behavior between Unix and Windows platforms. On Unix systems, when os.OpenFile is called with O_CREATE and O_EXCL flags on a path that is a dangling symlink (a symlink pointing to a nonexistent target), the function does not follow the symlink and returns an error, preventing unintended file creation. However, on Windows systems, the same call would follow the dangling symlink and create a file at the nonexistent target location. This discrepancy could lead to improper link resolution before file access, classified under CWE-59 (Improper Link Resolution Before File Access, or 'Link Following'). The security risk is that an attacker who can control or influence symlinks might cause a program to create files in unintended locations, potentially leading to privilege escalation or unauthorized file manipulation. The Go standard library has addressed this issue by modifying os.OpenFile to always return an error when both O_CREATE and O_EXCL flags are set and the target path is a symlink, thus preventing file creation through dangling symlinks on all platforms. The vulnerability affects Go versions up to 1.24.0-0 and was published on June 11, 2025. The CVSS v3.1 base score is 5.5 (medium), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. No known exploits are currently reported in the wild.

For European organizations, the impact of CVE-2025-0913 depends largely on their use of Go-based applications and services, especially those running on Windows platforms. Applications that rely on os.OpenFile with O_CREATE and O_EXCL flags to securely create files may be vulnerable to unintended file creation if they process user-controlled or external symlinks. This could lead to integrity violations such as overwriting or creating files in sensitive locations, potentially enabling privilege escalation or unauthorized modification of application data. The vulnerability does not affect confidentiality or availability directly but poses a significant risk to data integrity. Organizations using Go in critical infrastructure, financial services, healthcare, or government sectors could face increased risk if attackers exploit this behavior to manipulate files or escalate privileges. Since the vulnerability requires local access or low-privilege access and no user interaction, insider threats or attackers with limited access could exploit it. The inconsistency between Unix and Windows behavior also complicates cross-platform application security assessments. European organizations with mixed OS environments or those deploying Go applications on Windows should be particularly vigilant. The lack of known exploits reduces immediate risk, but the medium severity and potential for integrity compromise warrant prompt attention.

European organizations should take the following specific mitigation steps: 1) Identify all Go applications and services in their environment, particularly those running on Windows, that use os.OpenFile with O_CREATE and O_EXCL flags. 2) Upgrade all affected Go runtime versions to 1.24.1 or later (or the version where the patch is applied) as soon as it becomes available to ensure the fix is incorporated. 3) Audit application code for any use of symlinks in file creation paths and implement strict validation or sanitization of symlink targets to prevent manipulation. 4) Employ file system monitoring tools to detect unusual file creation activities, especially in sensitive directories. 5) Limit the ability of unprivileged users or processes to create or modify symlinks in directories accessed by Go applications. 6) For critical systems, consider implementing additional access controls or sandboxing to restrict file system access. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates. 8) Educate developers and system administrators about the differences in symlink handling across platforms to avoid assumptions that could lead to security gaps.