Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.
Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.
Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.
Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.
A panic can be triggered when go-getter processed password-protected ZIP files.
discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
github.com/hashicorp/go-getter/pull/359
github.com/hashicorp/go-getter/pull/361