CVE-2025-4674

Published: Jul 29, 2025Modified: Jan 29, 2026

8.6

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.23.11
Golang Go	From 1.24.0 to 1.24.5

Related CWEs

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (5)

https://go.dev/cl/686515

Source: security@golang.org

Patch

https://go.dev/issue/74380

Source: security@golang.org

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/gTNJnDXmn34

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2025-3828

Source: security@golang.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/07/08/5

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

Timeline

No history available yet.