7

CVE-2025-68119

EPSS 0.02%
Veröffentlicht 28.01.2026 19:30:30
Zuletzt bearbeitet 06.02.2026 18:40:50
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.24.12

Golang ≫ Go Version >= 1.25.0 < 1.25.6

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Mailing List

Release Notes

https://go.dev/cl/736710

Patch

https://go.dev/issue/77099

Patch

Issue Tracking

https://pkg.go.dev/vuln/GO-2026-4338

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-68119

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68119

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68119

EUVD