Home > Vulnerability Database > CVE-2025-4674

Mend.io Vulnerability Database

CVE-2025-4674

Good to know:

Date: July 29, 2025

cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a '.hg' directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. Versions 1.24.5 and 1.23.11 fix this issue.

Severity Score

8.6

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-4674

Url: https://pkg.go.dev/vuln/GO-2025-3828

Url: https://go.dev/cl/686515

Url: https://go.dev/issue/74380

Url: https://github.com/golang/go/issues/74380

Url: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34

Url: https://www.mend.io/vulnerability-database/CVE-2025-4674

Severity Score

8.6

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

External Control of File Name or Path

CWE-73

Top Fix

Upgrade Version

Upgrade to version github.com/golang/go - go1.23.11;github.com/golang/go - go1.24.5

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-4674

Good to know:

Date: July 29, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?