Executable Path Handling Issue in Go Language by Google
CVE-2025-47906

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Os/exec
Vendor: CVE Published:; 18 September 2025

🔔 Create Go Standard Library Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2025-47906?

This vulnerability occurs when the PATH environment variable contains executable paths. Certain strings passed to the LookPath function—specifically "", ".", and ".."—may lead to unexpected behavior, returning binaries from the PATH instead of just directories. This behavior could allow attackers to manipulate executable paths, potentially resulting in unauthorized command execution.

Affected Version(s)

os/exec 0 < 1.23.12

os/exec 1.24.0 < 1.24.6

News Articles

Yanac.hu

CVE-2025-47906

CVE-2025-47906 | Google Go up to 1.23.11/1.24.5 os-exec LookPath PATH

A vulnerability was found in Google Go up to 1.23.11/1.24.5. It has been declared as problematic. This vulnerability affects the function LookPath of the component os-exec. The manipulation of the…

References

https://go.dev/cl/691775

https://go.dev/issue/74466

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2025
📰
First article discovered by Yanac.hu
Aug 9, 2025
Vulnerability Reserved
May 13, 2025