CVE-2025-4674
8.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go toolchain | cmd/go | 0 < 1.23.11 | affected |
| Go toolchain | cmd/go | 1.24.0-0 < 1.24.5 | affected |
Weaknesses
- CWE-73: External Control of File Name or Path
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
- https://go.dev/cl/686515
- https://go.dev/issue/74380
- https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
- https://pkg.go.dev/vuln/GO-2025-3828
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.