Race Condition in Go's Database Interaction Leading to Unexpected Query Results
CVE-2025-47907

7HIGH

Key Information:

Vendor: Go Standard Library
Status: Database/sql
Vendor: CVE Published:; 7 August 2025

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-47907?

This vulnerability arises when queries are cancelled unexpectedly during ongoing database operations, particularly during the execution of the Scan method. If multiple queries are processed in parallel, this can lead to a race condition where the results of one query may overwrite the expected results from another, potentially causing erroneous outputs or errors during operations. Proper handling of query cancellations and synchronization mechanisms is crucial to prevent this issue.

Affected Version(s)

database/sql 0 < 1.23.12

database/sql 1.24.0 < 1.24.6

References

https://go.dev/cl/693735

https://go.dev/issue/74831

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2025
Vulnerability Reserved
May 13, 2025

Credit

Spike Curtis from Coder