PT-2025-28646 · Go +2 · Go +2

Ryotak

Published

2025-01-01

Updated

2025-07-31

CVE-2025-4674

Report an issue

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions:

Go versions prior to 1.24.5

Go versions prior to 1.23.11

Description:

The issue concerns unexpected command execution in untrusted VCS repositories when using the Go toolchain. This can occur when the toolchain is used in directories fetched using VCS tools, such as cloning Git or Mercurial repositories.

Recommendations:

For versions prior to 1.24.5, update to version 1.24.5 to resolve the issue.

For versions prior to 1.23.11, update to version 1.23.11 to resolve the issue.

As a temporary workaround, consider avoiding the use of the Go toolchain in untrusted VCS repositories until a patch is applied.

Related Identifiers

ALT-PU-2025-9085

BIT-GOLANG-2025-4674

CVE-2025-4674

GO-2025-3828

MGASA-2025-0205

SUSE-SU-2025:02295-1

SUSE-SU-2025:02296-1

Affected Products

Alt Linux

Debian

PT-2025-28646 · Go +2 · Go +2

Related Identifiers

Affected Products

References · 42