Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-4674

Summary
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
Published At-29 Jul, 2025 | 21:19
Updated At-04 Nov, 2025 | 21:10
Rejected At-
Credits

Unexpected command execution in untrusted VCS repositories in cmd/go

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Go
Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc
Published At:29 Jul, 2025 | 21:19
Updated At:04 Nov, 2025 | 21:10
Rejected At:
▼CVE Numbering Authority (CNA)
Unexpected command execution in untrusted VCS repositories in cmd/go

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Affected Products
Vendor
Go toolchain
Product
cmd/go
Collection URL
https://pkg.go.dev
Package Name
cmd/go
Default Status
unaffected
Versions
Affected
  • From 0 before 1.23.11 (semver)
  • From 1.24.0-0 before 1.24.5 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-73: External Control of File Name or Path
Type: N/A
CWE ID: N/A
Description: CWE-73: External Control of File Name or Path
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
RyotaK (https://ryotak.net) of GMO Flatt Security Inc
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/cl/686515
N/A
https://go.dev/issue/74380
N/A
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
N/A
https://pkg.go.dev/vuln/GO-2025-3828
N/A
Hyperlink: https://go.dev/cl/686515
Resource: N/A
Hyperlink: https://go.dev/issue/74380
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2025-3828
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-73CWE-73 External Control of File Name or Path
Type: CWE
CWE ID: CWE-73
Description: CWE-73 External Control of File Name or Path
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2025/07/08/5
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2025/07/08/5
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@golang.org
Published At:29 Jul, 2025 | 22:15
Updated At:29 Jan, 2026 | 19:15

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CPE Matches
Go
golang
>>go>>Versions before 1.23.11(exclusive)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Go
golang
>>go>>Versions from 1.24.0(inclusive) to 1.24.5(exclusive)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-73Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-73
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://go.dev/cl/686515security@golang.org
Patch
https://go.dev/issue/74380security@golang.org
Issue Tracking
Third Party Advisory
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34security@golang.org
Mailing List
Release Notes
https://pkg.go.dev/vuln/GO-2025-3828security@golang.org
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/08/5af854a3a-2127-422b-91ae-364da2661108
Mailing List
Release Notes
Hyperlink: https://go.dev/cl/686515
Source: security@golang.org
Resource:
Patch
Hyperlink: https://go.dev/issue/74380
Source: security@golang.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
Source: security@golang.org
Resource:
Mailing List
Release Notes
Hyperlink: https://pkg.go.dev/vuln/GO-2025-3828
Source: security@golang.org
Resource:
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2025/07/08/5
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Release Notes

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2025-61732
Matching Score-8
Assigner-Go Project
ShareView Details
Matching Score-8
Assigner-Go Project
CVSS Score-8.6||HIGH
EPSS-0.21% / 10.54%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 03:42
Updated-10 Feb, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential code smuggling via doc comments in cmd/cgo

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Action-Not Available
Vendor-Go toolchainGo
Product-gocmd/cgo
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-30284
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.21% / 11.09%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 00:00
Updated-06 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

Action-Not Available
Vendor-uxgroupllcn/a
Product-voice_recordern/a
CWE ID-CWE-73
External Control of File Name or Path
CVE-2026-11527
Matching Score-4
Assigner-CPAN Security Group
ShareView Details
Matching Score-4
Assigner-CPAN Security Group
CVSS Score-8.6||HIGH
EPSS-0.62% / 45.04%
||
7 Day CHG+0.01%
Published-14 Jun, 2026 | 11:40
Updated-19 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.

Action-Not Available
Vendor-SHLOMIF
Product-Config::IniFiles
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Details not found