CVE-2025-4674

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GoCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
bookworm
no-dsa
golang-1.19
bookworm
vulnerable
bullseye
postponed
golang-1.23
sid
vulnerable
bookworm
no-dsa
bullseye
postponed
golang-1.24
trixie
vulnerable
sid
vulnerable
bookworm
no-dsa
bullseye
postponed
References
https://go.dev/cl/686515
https://go.dev/issue/74380
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
https://pkg.go.dev/vuln/GO-2025-3828