CVE-2025-47906

Published: Sep 18, 2025Modified: Jan 27, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Exploitability: 3.9 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected (2)

Products: Golang: Go

Golang

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.23.12
Golang Go	From 1.24.0 to 1.24.6

References (5)

https://go.dev/cl/691775

Source: security@golang.org

Patch

https://go.dev/issue/74466

Source: security@golang.org

ExploitIssue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2025-3956

Source: security@golang.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/08/06/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListIssue Tracking

Timeline

No history available yet.