Executable Path Handling Issue in Go Language by Google
CVE-2025-47906

6.5MEDIUM

Key Information:

Vendor

Go Standard Library

Status
Os/exec
Vendor
CVE Published:
18 September 2025

Badges

đź“° News Worthy

What is CVE-2025-47906?

This vulnerability occurs when the PATH environment variable contains executable paths. Certain strings passed to the LookPath function—specifically "", ".", and ".."—may lead to unexpected behavior, returning binaries from the PATH instead of just directories. This behavior could allow attackers to manipulate executable paths, potentially resulting in unauthorized command execution.

Affected Version(s)

os/exec 0 < 1.23.12

os/exec 1.24.0 < 1.24.6

News Articles

favicon imageYanac.hu

CVE-2025-47906 | Google Go up to 1.23.11/1.24.5 os-exec LookPath PATH

A vulnerability was found in Google Go up to 1.23.11/1.24.5. It has been declared as problematic. This vulnerability affects the function LookPath of the component os-exec. The manipulation of the…

References

https://go.dev/cl/691775
https://go.dev/issue/74466
https://groups.google.com/g/golang-announce/c/x5MKroML2yM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • đź“°

    First article discovered by Yanac.hu

  • Vulnerability Reserved

JSON
.