ASA-2018-00075 – Go: Directory traversal in “go get” via curly braces in import paths

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode. The attacker can cause an arbitrary filesystem write, which can lead to code execution.