CVE-2025-68119
published 2026-01-28CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules…
PriorityP339high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EPSS
0.34%
25.3th percentile
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| go_toolchain | cmd_go | >= 1.25.0 < 1.25.6 | 1.25.6 |
| golang | go | < 1.24.12 | 1.24.12 |
| golang | go | >= 1.25.0 < 1.25.6 | 1.25.6 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings
vendor_redhat·2026-01-28·CVSS 7.0
CVE-2025-68119 [HIGH] CWE-78 cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings
cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module pa
Debian
CVE-2025-68119: golang-1.15 - Downloading and building modules with malicious version strings can cause local ...
vendor_debian·2025·CVSS 7.0
CVE-2025-68119 [HIGH] CVE-2025-68119: golang-1.15 - Downloading and building modules with malicious version strings can cause local ...
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
Scope: local
bullseye: open
OSV
Unexpected code execution when invoking toolchain in cmd/go
osv·2026-01-28
CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go
Unexpected code execution when invoking toolchain in cmd/go
Downloading and building modules with malicious version strings can cause local code execution.
On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain.
On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
OSV
CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution
osv·2026-01-28·CVSS 7.0
CVE-2025-68119 [HIGH] CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
GHSA
GHSA-cm6p-qc7v-m3jw: Downloading and building modules with malicious version strings can cause local code execution
ghsa_unreviewed·2026-01-28
CVE-2025-68119 [HIGH] CWE-787 GHSA-cm6p-qc7v-m3jw: Downloading and building modules with malicious version strings can cause local code execution
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47911 :
Terraform Community vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cri-o
kubernetes
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: M
Wiz
CVE-2025-68119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-68119 [HIGH] CVE-2025-68119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68119 :
cAdvisor vulnerability analysis and mitigation
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
Source : NVD
## 7
Sco
Wiz
CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11065 [MEDIUM] CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11065 :
Terraform Community vulnerability analysis and mitigation
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Source : NVD
## 5.3
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-11.2
kyverno-fips-1.12
Sources
NVD
2026-01-28
Published