CVE-2025-4674 – toolchain

Package

Manager: go
Name: toolchain
Vulnerable Version: >=0 <1.23.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H

EPSS: 6e-05 pctl0.00318

Details

Unexpected command execution in untrusted VCS repositories in cmd/go The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Metadata

Created: 2025-07-29T21:02:00Z
Modified: 2025-07-31T07:14:38.402440Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F004
Auto approve: 1