8.6

CVE-2025-4674

Unexpected command execution in untrusted VCS repositories in cmd/go

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.23.11
GolangGo Version >= 1.24.0 < 1.24.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.191
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.6 1.8 6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://go.dev/cl/686515
Patch
https://go.dev/issue/74380
Third Party Advisory
Issue Tracking
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
Mailing List
Release Notes
https://pkg.go.dev/vuln/GO-2025-3828
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/5
Mailing List
Release Notes