CVE-2025-47906

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
GoCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
trixie
no-dsa
bookworm
no-dsa
golang-1.19
bookworm
vulnerable
trixie
no-dsa
bullseye
postponed
golang-1.23
sid
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
golang-1.24
forky
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
sid
vulnerable
Vulnerability Media Exposure
References
https://go.dev/cl/691775
https://go.dev/issue/74466
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
https://pkg.go.dev/vuln/GO-2025-3956