CVE-2025-4674

EUVD-2025-23047
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.23.11
golanggo
1.24.0 ≤
𝑥
< 1.24.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
postponed
golang-1.19
bookworm
no-dsa
golang-1.24
trixie
no-dsa
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
go-toolset
RHEL 9
0:1.24.6-1.el9_6
fixed
golang
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-bin
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-docs
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-misc
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-race
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-src
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-tests
RHEL 9
0:1.24.6-1.el9_6
fixed
Common Weakness Enumeration
References
https://go.dev/cl/686515
https://go.dev/issue/74380
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
https://pkg.go.dev/vuln/GO-2025-3828
http://www.openwall.com/lists/oss-security/2025/07/08/5