- Description
- The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
- Source
- security@golang.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.6
- Impact score
- 6
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-73
- Hype score
- Not currently trending
CVE-2025-4674 The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in reposit… https://t.co/rJa16UIJpA
@CVEnew
29 Jul 2025
307 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🌟 Go 1.24.5 and 1.23.11 are released! 🔐 Security: Includes a security fix for the Go toolchain (CVE-2025-4674) 📡 Announcement: https://t.co/jkNdFeSNPA 📦 Download: https://t.co/8D9F3bteiH #golang https://t.co/QD29kq7SyN
@golang
8 Jul 2025
25419 Impressions
119 Retweets
493 Likes
29 Bookmarks
8 Replies
9 Quotes