PatchSiren cyber security CVE debrief
CVE-2025-70950 itang CVE debrief
CVE-2025-70950 documents a directory traversal flaw in gohttp commit 34ea51 that can be triggered with a crafted request. The NVD entry rates the issue 7.3 (HIGH) and maps it to CWE-22. Because the record is network-exploitable with no privileges or user interaction required, teams using gohttp-based services should treat it as a priority remediation item and validate whether their deployed code includes the affected commit or equivalent logic.
- Vendor
- itang
- Product
- gohttp
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Security and engineering teams operating or embedding gohttp, especially any service exposed over the network that may include code from commit 34ea51. Asset owners should also care if they rely on downstream packages or internal forks built from gohttp.
Technical summary
The published NVD record describes an issue in gohttp commit 34ea51 where a crafted request can cause directory traversal. The entry classifies the weakness as CWE-22 and provides a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a remotely reachable issue with low attack complexity and no authentication or user interaction required. The source corpus does not provide an affected-version range, patch commit, or vendor fix details.
Defensive priority
High. The combination of remote reachability, no required privileges, and low complexity makes this a practical issue to triage quickly for any exposed gohttp deployment.
Recommended defensive actions
- Inventory where gohttp is used, including forks, vendored copies, and services that embed it.
- Check whether deployed code includes commit 34ea51 or the affected request-handling path described in the record.
- Apply an upstream fix or backport remediation as soon as one is available; if no fix is available yet, mitigate by isolating the service or disabling the affected functionality.
- Review request handling and path normalization controls to ensure traversal sequences cannot escape the intended document root.
- Monitor logs and HTTP telemetry for anomalous path traversal patterns and follow up on any suspicious requests.
- Retest after remediation to confirm the traversal condition is no longer reachable.
Evidence notes
The evidence corpus contains an official NVD record for CVE-2025-70950 with published and modified timestamps of 2026-05-19, a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, and a CWE-22 mapping. The NVD metadata also marks the vulnStatus as Deferred. Two MITRE-cited references are present in the corpus: a GitHub issue in the gohttp repository and a GitHub Gist, but their contents are not included here, so no additional claims are made beyond the indexed record metadata and description.
Official resources
Publicly disclosed in the NVD record dated 2026-05-19; the NVD source metadata currently marks the vulnerability status as Deferred.