CVE-2025-47907Race Condition in Standard Library Database SQL

CWE-362Race ConditionCWE-20Improper Input ValidationCWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic ComplexityCWE-444HTTP Request SmugglingCWE-770Allocation of Resources Without Limits or Throttling11 documents9 sources
Severity
7.0HIGHNVD
EPSS
0.0%
top 98.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
GO Standard Library Database SQLGithub.com Open-feature Flagd CoreGithub.com Open-feature Flagd Flagd+2 more
Timeline
PublishedAug 7
Latest updateJan 5

Description

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:LExploitability: 2.2 | Impact: 4.7

Affected Packages5 packages

NVDgolang/go1.24.01.24.6+1
CVEListV5go_standard_library/database_sql1.24.01.24.6+1

Patches

Patch: go.dev

🔴Vulnerability Details

6
GHSA
flagd: Multiple Go Runtime CVEs Impact Security and Availability2026-01-05
OSV
flagd: Multiple Go Runtime CVEs Impact Security and Availability2026-01-05
OSV
Incorrect results returned from Rows.Scan in database/sql2025-08-07
CVEList
Incorrect results returned from Rows.Scan in database/sql2025-08-07
OSV
CVE-2025-47907: Cancelling a query (e2025-08-07

📋Vendor Advisories

3
Microsoft
Incorrect results returned from Rows.Scan in database/sql2025-08-12
Red Hat
database/sql: Postgres Scan Race Condition2025-08-07
Debian
CVE-2025-47907: golang-1.15 - Cancelling a query (e.g. by cancelling the context passed to one of the query me...2025

🕵️Threat Intelligence

1
Wiz
GHSA-4c5f-9mj4-m247 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-47907 — Race Condition | cvebase