Unexpected command execution in untrusted VCS repositories in cmd/go

8.6 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Basic Information

ID CVE-2025-4674

Source Go

Published Jul 29, 2025 at 21:19

Modified Aug 6, 2025 at 16:06

Affected Product

Vendor Go toolchain

Product cmd/go

Affected Versions Go toolchain cmd/go 0
Go toolchain cmd/go 1.24.0-0

CWE Classification

CWE-73

References

{
    "lastseen": "",
    "description": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected.",
    "published": "2025-07-29T21:19:08.519Z",
    "modified": "2025-08-06T16:06:57.979Z",
    "type": "cve",
    "title": "Unexpected command execution in untrusted VCS repositories in cmd/go",
    "source": "Go",
    "references": "https://go.dev/cl/686515\nhttps://go.dev/issue/74380\nhttps://groups.google.com/g/golang-announce/c/gTNJnDXmn34\nhttps://pkg.go.dev/vuln/GO-2025-3828",
    "id": "CVE-2025-4674",
    "bulletinFamily": "",
    "cwe": [
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "Go toolchain cmd/go 0\nGo toolchain cmd/go 1.24.0-0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cmd/go",
    "version": "0",
    "vendor": "Go toolchain",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unexpected command execution in untrusted VCS repositories in cmd/go_CVE-2025-4674