CVE-2025-47907

Published: Aug 7, 2025Modified: Jan 29, 2026

7.0

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Exploitability: 2.2 / Impact: 4.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.23.12
Golang Go	From 1.24.0 to 1.24.6

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (5)

https://go.dev/cl/693735

Source: security@golang.org

Patch

https://go.dev/issue/74831

Source: security@golang.org

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2025-3849

Source: security@golang.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/08/06/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

Timeline

No history available yet.