CVE-2025-4674

HIGH severity · CVSS 8.6 · CWE-73

8.6CVSS HIGH

Summary

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Impact & exploitability

Attack vectorLocal

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)0%

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products we track (1)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/686515 ↗

Additional information

NVD record
https://go.dev/cl/686515Patch
https://pkg.go.dev/vuln/GO-2025-3828Advisory
https://go.dev/issue/74380Advisory
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
http://www.openwall.com/lists/oss-security/2025/07/08/5