CVE-2025-4674

CWE-73 CWE-748 documents7 sources

Severity

8.6HIGH

EPSS

0.0%

top 99.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Toolchain Cmd/go Golang GO

Timeline

PublishedJul 29

Latest updateJul 30

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages4 packages

▶Gotoolchain1.24.0-0 — 1.24.5+1

▶NVDgolang/go1.24.0 — 1.24.5+1

▶CVEListV5go_toolchain/cmd/go1.24.0-0 — 1.24.5+1

▶Debiangolang-1.24< 1.24.7-1

Patches

Patch: go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-wprm-fgrx-xj42: The go command may execute unexpected commands when operating in untrusted VCS repositories↗2025-07-30

▶

OSV

Unexpected command execution in untrusted VCS repositories in cmd/go↗2025-07-29

▶

CVEList

Unexpected command execution in untrusted VCS repositories in cmd/go↗2025-07-29

▶

OSV

CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories↗2025-07-29

▶

📋Vendor Advisories

Red Hat

cmd/go: Go VCS Command Execution Vulnerability↗2025-07-29

▶

Microsoft

Unexpected command execution in untrusted VCS repositories in cmd/go↗2025-07-08

▶

Debian

CVE-2025-4674: golang-1.15 - The go command may execute unexpected commands when operating in untrusted VCS r...↗2025

▶