CVE-2025-47906

Exploit

EPSS 0.03%
Veröffentlicht 18.09.2025 18:41:11
Zuletzt bearbeitet 27.01.2026 19:56:17
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Unexpected paths returned from LookPath in os/exec

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.23.12

Golang ≫ Go Version >= 1.24.0 < 1.24.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.086

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Mailing List

Release Notes

https://go.dev/cl/691775

Patch

https://go.dev/issue/74466

Third Party Advisory

Exploit

Issue Tracking

https://pkg.go.dev/vuln/GO-2025-3956

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/08/06/1

Mailing List

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-47906

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-47906

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-47906

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-47906