CVE-2025-4674

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://go.dev/cl/686515	Patch
https://go.dev/issue/74380	Issue Tracking Third Party Advisory
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34	Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2025-3828	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/5	Mailing List Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

No history.

Information

Published : 2025-07-29 22:15

Updated : 2026-01-29 19:15

NVD link : CVE-2025-4674

Mitre link : CVE-2025-4674

CVE.ORG link : CVE-2025-4674

JSON object : View

Products Affected

golang

go

CWE

CWE-73

External Control of File Name or Path

{"id": "CVE-2025-4674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2025-07-29T22:15:25.380", "references": [{"url": "https://go.dev/cl/686515", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/74380", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34", "tags": ["Mailing List", "Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3828", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/08/5", "tags": ["Mailing List", "Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."}, {"lang": "es", "value": "El comando \"go\" puede ejecutar comandos inesperados al operar en repositorios VCS no confiables. Esto ocurre cuando existe una configuraci\u00f3n de VCS potencialmente peligrosa en los repositorios. Esto puede ocurrir cuando un repositorio se obtuvo mediante un VCS (p. ej., Git), pero contiene metadatos para otro VCS (p. ej., Mercurial). Los m\u00f3dulos obtenidos mediante la l\u00ednea de comandos \"go get\" no se ven afectados."}], "lastModified": "2026-01-29T19:15:49.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A116F70-E465-4FB8-A835-C574B01B1FBC", "versionEndExcluding": "1.23.11"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2CFE4E4-5731-4F7E-AB81-63AC167E5E78", "versionEndExcluding": "1.24.5", "versionStartIncluding": "1.24.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}