Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient …

Billy, an interface filesystem abstraction for Go, contains multiple path traversal vulnerabilities prior to version 5.9.0. The vulnerabilities stem from insufficient path sanitization and boundary enforcement, allowing attackers to craft paths using '..' to escape intended base directories. While go-billy wasn't originally designed as a security boundary, inconsistent implementations across built-in components create scenarios where applications relying on go-billy for isolation may inadvertently expose access to unintended filesystem locations. The vulnerability affects applications using go-billy components for filesystem operations and has been fixed in version 5.9.0.