Fluid Attacks Database

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
go	stdlib	>=0 <1.23.12	1.23.12
rpm rhel9	toolbox	-	-
rpm rhel8	osbuild-composer	-	-
rpm rhel8	skopeo	-	-
rpm rhel8	buildah	-	-
rpm rhel10	opentelemetry-collector	-	-
rpm rhel10	conmon	-	-

1-10 of 73

Aliases

1. CVE-2025-479062. NVD-2025-479063. OSV-DEBIAN-2025-479064. OSV-2025-479065. OSV-GO-2025-39566. GCVE-2025-479067. SECURITY-TRACKER-CVE-2025-47906

References

1. https://go.dev/cl/6917752. https://go.dev/issue/744663. https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.