CVE-2025-47906 — Expected Behavior Violation in Standard Library OS Exec

CWE-440 — Expected Behavior Violation9 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 90.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library OS Exec Golang GO

Timeline

PublishedSep 18

Latest updateSep 26

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶NVDgolang/go1.24.0 — 1.24.6+1

▶CVEListV5go_standard_library/os_exec1.24.0 — 1.24.6+1

Patches

Patch: go.dev ↗

🔴Vulnerability Details

OSV

Unexpected paths returned from LookPath in os/exec↗2025-09-18

▶

OSV

CVE-2025-47906: If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", "↗2025-09-18

▶

CVEList

Unexpected paths returned from LookPath in os/exec↗2025-09-18

▶

GHSA

GHSA-gwrf-jf3h-w649: If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", "↗2025-09-18

▶

📋Vendor Advisories

Red Hat

os/exec: Unexpected paths returned from LookPath in os/exec↗2025-09-18

▶

Microsoft

Unexpected paths returned from LookPath in os/exec↗2025-09-09

▶

Debian

CVE-2025-47906: golang-1.15 - If the PATH environment variable contains paths which are executables (rather th...↗2025

▶

💬Community

Bugzilla

CVE-2025-47906 gum: Unexpected paths returned from LookPath in os/exec [fedora-42]↗2025-09-26

▶