CVE-2025-47906

EUVD-2025-30195
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.23.12
golanggo
1.24.0 ≤
𝑥
< 1.24.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
postponed
golang-1.19
bookworm
no-dsa
golang-1.24
trixie
no-dsa
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
go-filesystem
RHEL 9
0:3.6.0-12.el9_7
fixed
go-rpm-macros
RHEL 9
0:3.6.0-12.el9_7
fixed
go-rpm-templates
RHEL 9
0:3.6.0-12.el9_7
fixed
go-srpm-macros
RHEL 9
0:3.6.0-12.el9_7
fixed
go-toolset
RHEL 9
0:1.24.6-1.el9_6
fixed
golang
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-bin
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-docs
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-misc
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-race
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-src
RHEL 9
0:1.24.6-1.el9_6
fixed
golang-tests
RHEL 9
0:1.24.6-1.el9_6
fixed
References
https://go.dev/cl/691775
https://go.dev/issue/74466
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
https://pkg.go.dev/vuln/GO-2025-3956
http://www.openwall.com/lists/oss-security/2025/08/06/1