Closed
Description
OpenFile behaves inconsistently on Unix and Windows when passed the O_CREATE|O_EXCL flags and the target of the operation is a dangling symlink.
On Unix systems, creating the file fails. From Linux's open(2) manpage:
When [O_CREAT and O_EXCL] are specified, symbolic links are not followed: if pathname is a symbolic link, then open() fails regardless of where the symbolic link points.
On Windows, OpenFile creates a file in the location referenced by the link.
Example test (passes on Unix systems, fails on Windows):
func TestOpenFileCreateExclDanglingSymlink(t *testing.T) {
dir := t.TempDir()
link := filepath.Join(dir, "link")
if err := os.Symlink("does_not_exist", link); err != nil {
t.Fatal(err)
}
f, err := os.OpenFile(link, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
if err == nil {
f.Close()
t.Errorf("OpenFile of a dangling symlink with O_CREATE|O_EXCL succeeded: want error")
}
}We have decided to categorize this as a PUBLIC track security vulnerability. This is CVE-2025-0913.
Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.