csaf_redhat - rhsa-2025:13935

rhsa-2025:13935

Vulnerability from csaf_redhat

Published

2025-08-18 00:53

Modified

2025-11-11 20:38

Summary

Red Hat Security Advisory: golang security update

Notes

Topic

An update for golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The golang packages provide the Go programming language compiler. Security Fix(es): * cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for golang is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:13935",
        "url": "https://access.redhat.com/errata/RHSA-2025:13935"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2384329",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
      },
      {
        "category": "external",
        "summary": "RHEL-108935",
        "url": "https://issues.redhat.com/browse/RHEL-108935"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13935.json"
      }
    ],
    "title": "Red Hat Security Advisory: golang security update",
    "tracking": {
      "current_release_date": "2025-11-11T20:38:59+00:00",
      "generator": {
        "date": "2025-11-11T20:38:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2025:13935",
      "initial_release_date": "2025-08-18T00:53:52+00:00",
      "revision_history": [
        {
          "date": "2025-08-18T00:53:52+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-08-18T00:53:52+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-11T20:38:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                  "product_id": "AppStream-9.6.0.Z.MAIN.EUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go-toolset-0:1.24.6-1.el9_6.aarch64",
                "product": {
                  "name": "go-toolset-0:1.24.6-1.el9_6.aarch64",
                  "product_id": "go-toolset-0:1.24.6-1.el9_6.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-0:1.24.6-1.el9_6.aarch64",
                "product": {
                  "name": "golang-0:1.24.6-1.el9_6.aarch64",
                  "product_id": "golang-0:1.24.6-1.el9_6.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.24.6-1.el9_6.aarch64",
                "product": {
                  "name": "golang-bin-0:1.24.6-1.el9_6.aarch64",
                  "product_id": "golang-bin-0:1.24.6-1.el9_6.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-race-0:1.24.6-1.el9_6.aarch64",
                "product": {
                  "name": "golang-race-0:1.24.6-1.el9_6.aarch64",
                  "product_id": "golang-race-0:1.24.6-1.el9_6.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
                "product": {
                  "name": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
                  "product_id": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-0:1.24.6-1.el9_6.ppc64le",
                "product": {
                  "name": "golang-0:1.24.6-1.el9_6.ppc64le",
                  "product_id": "golang-0:1.24.6-1.el9_6.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
                "product": {
                  "name": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
                  "product_id": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-race-0:1.24.6-1.el9_6.ppc64le",
                "product": {
                  "name": "golang-race-0:1.24.6-1.el9_6.ppc64le",
                  "product_id": "golang-race-0:1.24.6-1.el9_6.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go-toolset-0:1.24.6-1.el9_6.x86_64",
                "product": {
                  "name": "go-toolset-0:1.24.6-1.el9_6.x86_64",
                  "product_id": "go-toolset-0:1.24.6-1.el9_6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-0:1.24.6-1.el9_6.x86_64",
                "product": {
                  "name": "golang-0:1.24.6-1.el9_6.x86_64",
                  "product_id": "golang-0:1.24.6-1.el9_6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.24.6-1.el9_6.x86_64",
                "product": {
                  "name": "golang-bin-0:1.24.6-1.el9_6.x86_64",
                  "product_id": "golang-bin-0:1.24.6-1.el9_6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-race-0:1.24.6-1.el9_6.x86_64",
                "product": {
                  "name": "golang-race-0:1.24.6-1.el9_6.x86_64",
                  "product_id": "golang-race-0:1.24.6-1.el9_6.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go-toolset-0:1.24.6-1.el9_6.s390x",
                "product": {
                  "name": "go-toolset-0:1.24.6-1.el9_6.s390x",
                  "product_id": "go-toolset-0:1.24.6-1.el9_6.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-0:1.24.6-1.el9_6.s390x",
                "product": {
                  "name": "golang-0:1.24.6-1.el9_6.s390x",
                  "product_id": "golang-0:1.24.6-1.el9_6.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.24.6-1.el9_6.s390x",
                "product": {
                  "name": "golang-bin-0:1.24.6-1.el9_6.s390x",
                  "product_id": "golang-bin-0:1.24.6-1.el9_6.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-race-0:1.24.6-1.el9_6.s390x",
                "product": {
                  "name": "golang-race-0:1.24.6-1.el9_6.s390x",
                  "product_id": "golang-race-0:1.24.6-1.el9_6.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.24.6-1.el9_6.src",
                "product": {
                  "name": "golang-0:1.24.6-1.el9_6.src",
                  "product_id": "golang-0:1.24.6-1.el9_6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-docs-0:1.24.6-1.el9_6.noarch",
                "product": {
                  "name": "golang-docs-0:1.24.6-1.el9_6.noarch",
                  "product_id": "golang-docs-0:1.24.6-1.el9_6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-docs@1.24.6-1.el9_6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-misc-0:1.24.6-1.el9_6.noarch",
                "product": {
                  "name": "golang-misc-0:1.24.6-1.el9_6.noarch",
                  "product_id": "golang-misc-0:1.24.6-1.el9_6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-misc@1.24.6-1.el9_6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-src-0:1.24.6-1.el9_6.noarch",
                "product": {
                  "name": "golang-src-0:1.24.6-1.el9_6.noarch",
                  "product_id": "golang-src-0:1.24.6-1.el9_6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-src@1.24.6-1.el9_6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-tests-0:1.24.6-1.el9_6.noarch",
                "product": {
                  "name": "golang-tests-0:1.24.6-1.el9_6.noarch",
                  "product_id": "golang-tests-0:1.24.6-1.el9_6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-tests@1.24.6-1.el9_6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64"
        },
        "product_reference": "go-toolset-0:1.24.6-1.el9_6.aarch64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le"
        },
        "product_reference": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x"
        },
        "product_reference": "go-toolset-0:1.24.6-1.el9_6.s390x",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64"
        },
        "product_reference": "go-toolset-0:1.24.6-1.el9_6.x86_64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64"
        },
        "product_reference": "golang-0:1.24.6-1.el9_6.aarch64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le"
        },
        "product_reference": "golang-0:1.24.6-1.el9_6.ppc64le",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x"
        },
        "product_reference": "golang-0:1.24.6-1.el9_6.s390x",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.24.6-1.el9_6.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src"
        },
        "product_reference": "golang-0:1.24.6-1.el9_6.src",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64"
        },
        "product_reference": "golang-0:1.24.6-1.el9_6.x86_64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64"
        },
        "product_reference": "golang-bin-0:1.24.6-1.el9_6.aarch64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le"
        },
        "product_reference": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x"
        },
        "product_reference": "golang-bin-0:1.24.6-1.el9_6.s390x",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64"
        },
        "product_reference": "golang-bin-0:1.24.6-1.el9_6.x86_64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-docs-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch"
        },
        "product_reference": "golang-docs-0:1.24.6-1.el9_6.noarch",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-misc-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch"
        },
        "product_reference": "golang-misc-0:1.24.6-1.el9_6.noarch",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-race-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64"
        },
        "product_reference": "golang-race-0:1.24.6-1.el9_6.aarch64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-race-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le"
        },
        "product_reference": "golang-race-0:1.24.6-1.el9_6.ppc64le",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-race-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x"
        },
        "product_reference": "golang-race-0:1.24.6-1.el9_6.s390x",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-race-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64"
        },
        "product_reference": "golang-race-0:1.24.6-1.el9_6.x86_64",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-src-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch"
        },
        "product_reference": "golang-src-0:1.24.6-1.el9_6.noarch",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-tests-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
        },
        "product_reference": "golang-tests-0:1.24.6-1.el9_6.noarch",
        "relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-4674",
      "cwe": {
        "id": "CWE-74",
        "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
      },
      "discovery_date": "2025-07-29T22:00:54.774680+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2384329"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cmd/go: Go VCS Command Execution Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is Important rather than Moderate because it enables arbitrary command execution at the tooling level before any code is built or reviewed, effectively compromising the software supply chain at its earliest stage. Unlike flaws that require user interaction with the code itself, this issue is triggered simply by running go operations on a malicious repository\u2014an action routinely performed by developers and automated build systems. The problem lies in cmd/go\u2019s unsafe interpretation of cross-VCS metadata, allowing an attacker to inject commands that execute with the privileges of the go process.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-4674"
        },
        {
          "category": "external",
          "summary": "RHBZ#2384329",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-4674",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-4674"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/686515",
          "url": "https://go.dev/cl/686515"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/74380",
          "url": "https://go.dev/issue/74380"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34",
          "url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3828",
          "url": "https://pkg.go.dev/vuln/GO-2025-3828"
        }
      ],
      "release_date": "2025-07-29T21:19:08.519000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-18T00:53:52+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:13935"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "cmd/go: Go VCS Command Execution Vulnerability"
    },
    {
      "cve": "CVE-2025-47906",
      "cwe": {
        "id": "CWE-440",
        "name": "Expected Behavior Violation"
      },
      "discovery_date": "2025-09-18T19:00:47.541046+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2396546"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "os/exec: Unexpected paths returned from LookPath in os/exec",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-440: Expected Behavior Violation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nAccess enforcement and least privilege limit user actions to only those explicitly permitted, reducing the risk of behavior outside defined boundaries. System configurations follow hardened baselines that disable unnecessary features and restrict execution to approved functions. Boundary protection isolates workloads and validates traffic to ensure interaction occurs only through authorized interfaces. Systems are designed to fail in a known state during unexpected input or failure to maintain stability. Additionally, real-time monitoring detects behavioral deviations, enabling timely response and containment.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-47906"
        },
        {
          "category": "external",
          "summary": "RHBZ#2396546",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/691775",
          "url": "https://go.dev/cl/691775"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/74466",
          "url": "https://go.dev/issue/74466"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3956",
          "url": "https://pkg.go.dev/vuln/GO-2025-3956"
        }
      ],
      "release_date": "2025-09-18T18:41:11.847000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-18T00:53:52+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:13935"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "os/exec: Unexpected paths returned from LookPath in os/exec"
    },
    {
      "cve": "CVE-2025-47907",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2025-08-07T16:01:06.247481+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2387083"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "database/sql: Postgres Scan Race Condition",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability marked as Moderate severity issues rather than Important. The os/exec LookPath flaw requires a misconfigured PATH to be exploitable, and the database/sql race condition primarily impacts applications that cancel queries while running multiple queries concurrently. Both can cause unexpected behavior, but the exploitation scope is limited and unlikely to result in direct compromise in most typical deployments.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. The environment leverages malicious code protections such as IPS/IDS and antimalware solutions that detect and respond to indicators in real time, limiting the impact of exploitation attempts. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks. In the case of successful exploitation, detection and containment controls are in place to limit impacts by alerting on anomalous system behavior in real time, while process isolation and automated orchestration via Kubernetes minimize the likelihood of concurrent execution scenarios that would trigger the race condition and help contain the impact to a single process.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
          "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "RHBZ#2387083",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387083"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-47907",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/693735",
          "url": "https://go.dev/cl/693735"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/74831",
          "url": "https://go.dev/issue/74831"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3849",
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "release_date": "2025-08-07T15:25:30.704000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-18T00:53:52+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:13935"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
            "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "database/sql: Postgres Scan Race Condition"
    }
  ]
}

CVE-2025-4674 (GCVE-0-2025-4674)

Vulnerability from cvelistv5

Published

2025-07-29 21:19

Modified

2025-11-04 21:10

Severity ?

8.6 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-73: External Control of File Name or Path

Summary

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

References

URL

Tags

	https://go.dev/cl/686515
	https://go.dev/issue/74380
	https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
	https://pkg.go.dev/vuln/GO-2025-3828

Impacted products

	Vendor	Product	Version
	Go toolchain	cmd/go	Version: 0 ≤ Version: 1.24.0-0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-4674",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-06T16:03:21.628652Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-73",
                "description": "CWE-73 External Control of File Name or Path",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-06T16:06:57.979Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:50.871Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/08/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.23.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.5",
              "status": "affected",
              "version": "1.24.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T21:19:08.519Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/686515"
        },
        {
          "url": "https://go.dev/issue/74380"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3828"
        }
      ],
      "title": "Unexpected command execution in untrusted VCS repositories in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-4674",
    "datePublished": "2025-07-29T21:19:08.519Z",
    "dateReserved": "2025-05-13T23:31:07.620Z",
    "dateUpdated": "2025-11-04T21:10:50.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47906 (GCVE-0-2025-47906)

Vulnerability from cvelistv5

Published

2025-09-18 18:41

Modified

2025-11-04 21:10

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE

CWE-115: Misinterpretation of Input

Summary

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

References

URL

Tags

	https://go.dev/cl/691775
	https://go.dev/issue/74466
	https://groups.google.com/g/golang-announce/c/x5MKroML2yM
	https://pkg.go.dev/vuln/GO-2025-3956

Impacted products

	Vendor	Product	Version
	Go standard library	os/exec	Version: 0 ≤ Version: 1.24.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-18T20:42:17.936162Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-18T20:42:38.389Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:54.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os/exec",
          "product": "os/exec",
          "programRoutines": [
            {
              "name": "LookPath"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-18T18:41:11.847Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/691775"
        },
        {
          "url": "https://go.dev/issue/74466"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3956"
        }
      ],
      "title": "Unexpected paths returned from LookPath in os/exec"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47906",
    "datePublished": "2025-09-18T18:41:11.847Z",
    "dateReserved": "2025-05-13T23:31:29.596Z",
    "dateUpdated": "2025-11-04T21:10:54.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5

Published

2025-08-07 15:25

Modified

2025-11-04 21:10

Severity ?

7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Summary

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

References

URL

Tags

	https://go.dev/cl/693735
	https://go.dev/issue/74831
	https://groups.google.com/g/golang-announce/c/x5MKroML2yM
	https://pkg.go.dev/vuln/GO-2025-3849

Impacted products

	Vendor	Product	Version
	Go standard library	database/sql	Version: 0 ≤ Version: 1.24.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T15:45:26.297503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-07T15:48:03.634Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "database/sql",
          "product": "database/sql",
          "programRoutines": [
            {
              "name": "Rows.Scan"
            },
            {
              "name": "Row.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Spike Curtis from Coder"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T15:25:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "title": "Incorrect results returned from Rows.Scan in database/sql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47907",
    "datePublished": "2025-08-07T15:25:30.704Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2025-11-04T21:10:56.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2025:13935

Vulnerability from csaf_redhat

CVE-2025-4674 (GCVE-0-2025-4674)

Vulnerability from cvelistv5

CVE-2025-47906 (GCVE-0-2025-47906)

Vulnerability from cvelistv5

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature