CVE-2025-47906

MEDIUM severity · CVSS 6.5

6.5CVSS MEDIUM

Summary

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactNone

Availability impactLow

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/691775 ↗

Additional information

NVD record
https://go.dev/cl/691775Patch
https://pkg.go.dev/vuln/GO-2025-3956Advisory
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
http://www.openwall.com/lists/oss-security/2025/08/06/1
https://go.dev/issue/74466Advisory