PT-2025-28646 · Go+8 · Go+8

Ryotak

·

Published

2025-01-01

·

Updated

2026-03-11

·

CVE-2025-4674

CVSS v3.1

8.6

High

VectorAV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.24.5 Go versions prior to 1.23.11
Description: The issue concerns unexpected command execution in untrusted VCS repositories when using the Go toolchain. This can occur when the toolchain is used in directories fetched using VCS tools, such as cloning Git or Mercurial repositories.
Recommendations: For versions prior to 1.24.5, update to version 1.24.5 to resolve the issue. For versions prior to 1.23.11, update to version 1.23.11 to resolve the issue. As a temporary workaround, consider avoiding the use of the Go toolchain in untrusted VCS repositories until a patch is applied.

Fix

RCE

Weakness Enumeration

CWE-73

Related Identifiers

ALSA-2025:13935
ALSA-2025:13940
ALSA-2025:13941
ALT-PU-2025-10791
ALT-PU-2025-9085
ALT-PU-2025-9099
AZL-66098
AZL-66101
BDU:2025-09875
BIT-GOLANG-2025-4674
CESA-2025_13940
CVE-2025-4674
ECHO-6FB1-590B-9DD9
GO-2025-3828
INFSA-2025_13935
INFSA-2025_13940
MGASA-2025-0205
OESA-2025-2181
OESA-2025-2182
OESA-2025-2260
OPENSUSE-SU-2025:15328-1
OPENSUSE-SU-2025:15329-1
OPENSUSE-SU-2025:15330-1
OPENSUSE-SU-2025:15405-1
RHSA-2025:13935
RHSA-2025:13936
RHSA-2025:13939
RHSA-2025:13940
RHSA-2025:13941
RHSA-2025:14093
RHSA-2025_13935
RHSA-2025_13940
SUSE-SU-2025:02295-1
SUSE-SU-2025:02296-1
SUSE-SU-2025:02812-1
SUSE-SU-2025:02837-1
SUSE-SU-2025:02924-1
SUSE-SU-2025:03115-1
SUSE-SU-2025:03158-1
SUSE-SU-2025:03159-1
SUSE-SU-2025:03161-1
SUSE-SU-2025_02295-1
SUSE-SU-2025_02296-1
SUSE-SU-2025_02812-1
SUSE-SU-2025_02837-1
SUSE-SU-2025_02924-1
SUSE-SU-2025_03115-1
SUSE-SU-2025_03158-1
SUSE-SU-2025_03159-1
SUSE-SU-2025_03161-1
SUSE-SU-2026:0297-1
SUSE-SU-2026:0298-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Go
Red Hat
Red Os
Rocky Linux
Suse