fkie_nvd - fkie_cve-2025-47906

fkie_cve-2025-47906

Vulnerability from fkie_nvd

Published

2025-09-18 19:15

Modified

2025-09-19 16:00

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Summary

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

References

▼	URL	Tags
	security@golang.org	https://go.dev/cl/691775
	security@golang.org	https://go.dev/issue/74466
	security@golang.org	https://groups.google.com/g/golang-announce/c/x5MKroML2yM
	security@golang.org	https://pkg.go.dev/vuln/GO-2025-3956

Impacted products

	Vendor	Product	Version

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
    }
  ],
  "id": "CVE-2025-47906",
  "lastModified": "2025-09-19T16:00:27.847",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-18T19:15:37.660",
  "references": [
    {
      "source": "security@golang.org",
      "url": "https://go.dev/cl/691775"
    },
    {
      "source": "security@golang.org",
      "url": "https://go.dev/issue/74466"
    },
    {
      "source": "security@golang.org",
      "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
    },
    {
      "source": "security@golang.org",
      "url": "https://pkg.go.dev/vuln/GO-2025-3956"
    }
  ],
  "sourceIdentifier": "security@golang.org",
  "vulnStatus": "Awaiting Analysis"
}

CVE-2025-47906 (GCVE-0-2025-47906)

Vulnerability from cvelistv5

Published

2025-09-18 18:41

Modified

2025-09-18 20:42

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE

CWE-115: Misinterpretation of Input

Summary

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

References

▼	URL	Tags
	https://go.dev/cl/691775
	https://go.dev/issue/74466
	https://groups.google.com/g/golang-announce/c/x5MKroML2yM
	https://pkg.go.dev/vuln/GO-2025-3956

Impacted products

	Vendor	Product	Version
	Go standard library	os/exec	Version: 0 ≤ Version: 1.24.0 ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-18T20:42:17.936162Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-18T20:42:38.389Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os/exec",
          "product": "os/exec",
          "programRoutines": [
            {
              "name": "LookPath"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-18T18:41:11.847Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/691775"
        },
        {
          "url": "https://go.dev/issue/74466"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3956"
        }
      ],
      "title": "Unexpected paths returned from LookPath in os/exec"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47906",
    "datePublished": "2025-09-18T18:41:11.847Z",
    "dateReserved": "2025-05-13T23:31:29.596Z",
    "dateUpdated": "2025-09-18T20:42:38.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.