Home > Vulnerability Database > CVE-2025-68119

Mend.io Vulnerability Database

CVE-2025-68119

Good to know:

Date: January 28, 2026

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Severity Score

7.0

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68119

Url: https://github.com/golang/go/issues/77099

Url: https://go.dev/issue/77099

Url: https://go.dev/cl/736710

Url: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Url: https://pkg.go.dev/vuln/GO-2026-4338

Url: https://www.mend.io/vulnerability-database/CVE-2025-68119

Severity Score

7.0

Top Fix

Upgrade Version

Upgrade to version https://github.com/golang/go.git - go1.26rc2;https://github.com/golang/go.git - go1.25.6;https://github.com/golang/go.git - go1.24.12

Learn More

CVSS v3.1

Base Score:	7.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68119

Good to know:

Date: January 28, 2026

Severity Score

Related Resources (7)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?