8.6

CVE-2025-4674

EPSS 0.01%
Veröffentlicht 29.07.2025 21:19:08
Zuletzt bearbeitet 29.01.2026 19:15:49
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Unexpected command execution in untrusted VCS repositories in cmd/go

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.23.11

Golang ≫ Go Version >= 1.24.0 < 1.24.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.6	1.8	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://go.dev/cl/686515

Patch

https://go.dev/issue/74380

Third Party Advisory

Issue Tracking

https://groups.google.com/g/golang-announce/c/gTNJnDXmn34

Mailing List

Release Notes

https://pkg.go.dev/vuln/GO-2025-3828

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/07/08/5

Mailing List

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-4674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4674

EUVD