CVE-2025-4674
Last modified
CVE-2025-4674 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.23.11 |
| Golang | Go | >= 1.24.0, < 1.24.5 |
References
- https://go.dev/issue/74380Issue Tracking, Third Party Advisory
- https://groups.google.com/g/golang-announce/c/gTNJnDXmn34Mailing List, Release Notes
- https://pkg.go.dev/vuln/GO-2025-3828Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/07/08/5Mailing List, Release Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-4674?
How severe is CVE-2025-4674?
How do I fix CVE-2025-4674?
Are you affected by CVE-2025-4674?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST