Vulnerability Description
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.23.11 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/686515Patch
- https://go.dev/issue/74380Issue TrackingThird Party Advisory
- https://groups.google.com/g/golang-announce/c/gTNJnDXmn34Mailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2025-3828Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/07/08/5Mailing ListRelease Notes
FAQ
What is CVE-2025-4674?
CVE-2025-4674 is a vulnerability with a CVSS score of 8.6 (HIGH). The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a re...
How severe is CVE-2025-4674?
CVE-2025-4674 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-4674?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.