CVE-2025-4674

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
GoCNA
---
---
CISA-ADPADP
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
trixie
no-dsa
bookworm
no-dsa
golang-1.19
bookworm
vulnerable
trixie
no-dsa
bullseye
postponed
golang-1.23
sid
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
golang-1.24
forky
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
sid
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://go.dev/cl/686515
https://go.dev/issue/74380
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
https://pkg.go.dev/vuln/GO-2025-3828