How severe is GHSA-47wr-426j-fr82?

GHSA-47wr-426j-fr82 has a CVSS score of 6.1/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-47wr-426j-fr82?

GHSA-47wr-426j-fr82 affects the following packages: github.com/datacharmer/dbdeployer (Go). Ecosystems affected: Go.

How do I fix GHSA-47wr-426j-fr82?

Update github.com/datacharmer/dbdeployer to 1.58.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-47wr-426j-fr82 is resolved across your whole dependency graph.

How do I detect GHSA-47wr-426j-fr82 in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/datacharmer/dbdeployer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-47wr-426j-fr82 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-47wr-426j-fr82?

O3 pinpoints whether GHSA-47wr-426j-fr82 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-47wr-426j-fr82 actively exploited in the wild?

No public exploit code has been indexed for GHSA-47wr-426j-fr82 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-47wr-426j-fr82?

GHSA-47wr-426j-fr82 has an EPSS (Exploit Prediction Scoring System) score of 1.2%, placing it in the 64th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-47wr-426j-fr82?

GHSA-47wr-426j-fr82 is classified as CWE-59 (CWE-59). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-47wr-426j-fr82 published, and has it been updated?

GHSA-47wr-426j-fr82 was published on February 12, 2022 and was last updated on March 13, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-47wr-426j-fr82

MEDIUM

Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer

Also known asCVE-2020-26277GO-2022-0787

Published

Feb 12, 2022

Updated

Mar 13, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

1.2%probability of exploitation in next 30 days

Lower Risk64th percentile+0.88%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐹github.com/datacharmer/dbdeployer

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences.

Mitigating factors

For the attach to succeed, the following factors need to contribute:

The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.
The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.

Analysis

An attacker could inject a symbolic link into the tarball, so that a file could result into fake_file -> /etc/passwd or some equally important file. As it is now, dbdeployer would create the symlink as defined, with a local file fake_file linked to /etc/passwd. The danger here is that any process with the privileges to write to both fake_file and /etc/passwd could overwrite the system file. Even without malicious intent, this could result in the system to become unusable. As noted above, the user must have write privileges to the target file to do the damage.

Remedies

It has been suggested that the extract procedure use filepath.EvalSymlinks to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out. A simple case is a file mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib with a linkName ../lib/libprotobuf-lite.3.11.4.dylib, if the linked file has not been created yet, filepath.EvalSymlinks would fail, as it acts on existing files only.

An alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:

Unpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22
......
link '../../../../../../../../../../etc' points outside target directory

exit status 1

As an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as /etc/passwd) would fail this test, and trigger an error.

The same check can be applied to a link to a non existing file with absolute path.

Patches

Patched in release 1.58.2

For more information

If you have any questions or comments about this advisory:

Open an issue in dbdeployer

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/datacharmer/dbdeployer`	all versions	1.58.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/datacharmer/dbdeployer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/datacharmer/dbdeployer to 1.58.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-47wr-426j-fr82 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-47wr-426j-fr82 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-47wr-426j-fr82. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact _Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences._ ### Mitigating factors For the attach to succeed, the following factors need to contribute: * The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. * The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved t

O3 Security · Impact-Aware SCA

Is GHSA-47wr-426j-fr82 in your dependencies?

O3 detects GHSA-47wr-426j-fr82 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works