os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path     was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
    On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in     that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and     the target path is a symlink. (CVE-2025-0913)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02120-1 advisory.

    Update to version 1.24.4 (bsc#1236217):

    - CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158).
    - CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157).
    - CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:01846-1 advisory.

    go1.24.4 (released 2025-06-05) includes security fixes to the     crypto/x509, net/http, and os packages, as well as bug fixes to     the linker, the go command, and the hash/maphash and os packages.
    ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673)

    * CVE-2025-22874: crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158)
    * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157)
    * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156)
    * os: Root.Mkdir creates directories with zero permissions on OpenBSD
    * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics
    * runtime/debug: BuildSetting does not document DefaultGODEBUG
    * cmd/go: add fips140 module selection mechanism
    * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
    * CVE-2025-22873: os: Root permits access to parent directory

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:01848-1 advisory.

    go1.23.10 (released 2025-06-05) includes security fixes to the     /http and os packages, as well as bug fixes to the linker.
    (bsc#1229122 go1.23 release tracking CVE-2025-0913 CVE-2025-4673)

    * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157)
    * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156)

      * runtime/debug: BuildSetting does not document DefaultGODEBUG
      * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
251255	Linux Distros Unpatched Vulnerability : CVE-2025-0913	Nessus	Misc.	medium
240724	SUSE SLES15 Security Update : go1.24-openssl (SUSE-SU-2025:02120-1)	Nessus	SuSE Local Security Checks	high
238043	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.24 (SUSE-SU-2025:01846-1)	Nessus	SuSE Local Security Checks	high
238039	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.23 (SUSE-SU-2025:01848-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2025-0913

medium

Tenable Plugins

medium

high

high

medium