Command Execution Weakness in Go for Untrusted VCS Repositories
CVE-2025-4674
What is CVE-2025-4674?
The Go programming language's command may unintentionally execute harmful commands when handling untrusted Version Control System (VCS) repositories. This risk arises specifically when potentially unsafe VCS configuration is detected within these repositories. For example, if a repository fetched using Git includes metadata from another VCS like Mercurial, it could lead to unintended command executions. Note that modules obtained through the 'go get' command are not affected by this vulnerability.
Affected Version(s)
cmd/go 0 < 1.23.11
cmd/go 1.24.0-0 < 1.24.5
News Articles
Fedora DiscussionCVE-2025-4674Go 1.24.5 and CVE-2025-4674 - Fedora Discussion
Go 1.24.5 was officially released by the upstream two days ago. One of the changes in this version is a resolving of a security vulnerability CVE-2025-4674 that allows “unexpected command execution in untrusted VCS repositories”. When the golang package for Fedora 42 will be updated? Currently I do...
3 weeks ago
Seclists.orgCVE-2025-4674oss-sec: Go 1.24.5 & 1.23.11 fix CVE-2025-4674
oss-sec mailing list archives From: Alan Coopersmith <alan.coopersmith () oracle com> Date: Tue, 8 Jul 2025 14:33:12 -0700 https://groups.google.com/g/golang-announce/c/gTNJnDXmn34 announces: Hello...
3 weeks ago
VulDBCVE-2025-4674CVE-2025-4674 Google Go cmd-go privilege escalation
A vulnerability, which was classified as problematic, has been found in Google Go up to 1.23.10/1.24.4. This vulnerability is handled as CVE-2025-4674. It is recommended to upgrade the affected component.
3 weeks ago