cbcvebase.
CVE-2025-4674
published 2025-07-29

CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present…

PriorityP346high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
EPSS
0.27%
19.0th percentile
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.24 1.24.7-1 (forky)golang-1.24 1.24.7-1 (forky)
debiangolang-1.19< golang-1.24 1.24.7-1 (forky)golang-1.24 1.24.7-1 (forky)
debiangolang-1.24< golang-1.24 1.24.7-1 (forky)golang-1.24 1.24.7-1 (forky)
go_toolchaincmd_go< 1.23.111.23.11
go_toolchaincmd_go>= 1.24.0-0 < 1.24.51.24.5
golanggo< 1.23.111.23.11
golanggo>= 1.24.0 < 1.24.51.24.5
msrccbl2_golang_1.18.8-8_on_cbl_mariner_2.0
msrccbl2_golang_1.18.8-9_on_cbl_mariner_2.0
msrccbl2_golang_1.22.7-4_on_cbl_mariner_2.0
msrccbl2_golang_1.22.7-5_on_cbl_mariner_2.0

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv8.6HIGH
vendor_debian8.6HIGH
vendor_msrc8.6HIGH
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.