Billy is an interface filesystem abstraction for Go. Prior to version 5.9.0, several components of go‑billy contain path traversal vulnerabilities that result from insufficient sanitization and boundary enforcement. Crafted paths containing directory traversal sequences such as '..' can escape the intended base directory, allowing read or write access to unintended filesystem locations. The CWE classification is 22. Because go‑billy was not originally engineered to provide a strong security boundary, applications that rely on it for isolation may inadvertently expose sensitive file system locations, enabling unauthorized data disclosure or modification.

The affected product is go-git’s go‑billy filesystem abstraction. All releases prior to 5.9.0 are vulnerable; the advisory does not list specific sub‑versions, so any deployment using go‑billy before the 5.9.0 fix is at risk.

The CVSS score of 8.1 places this vulnerability in the high severity range, indicating serious potential impact on confidentiality, integrity, and availability. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, meaning there is no confirmed exploitation record yet. Based on the description, it is inferred that if an attacker can influence the path input, crafted paths may escape the intended base directory. The likely attack vector depends on how the application exposes go‑billy; if user input is accepted without validation, the flaw could be exploited either locally or through a remote service that forwards path data. This inference is grounded solely in the stated lack of path sanitization.