CVE-2025-47907

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
GoCNA
---
---
CISA-ADPADP
7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
trixie
no-dsa
bookworm
no-dsa
golang-1.19
bookworm
vulnerable
trixie
no-dsa
bullseye
postponed
golang-1.23
sid
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
golang-1.24
trixie
no-dsa
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
Vulnerability Media Exposure
References
https://go.dev/cl/693735
https://go.dev/issue/74831
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
https://pkg.go.dev/vuln/GO-2025-3849