AI description
CVE-2025-47906 refers to a security vulnerability found in Go versions 1.24.6 and 1.23.12. Specifically, it affects the `os/exec` package. The vulnerability arises because the `LookPath` function might return unexpected paths if the PATH environment variable includes paths that are executable files instead of directories. Passing certain strings to LookPath ("", ".", and "..") could lead to the unexpected return of binaries listed in the PATH. Additionally, a separate vulnerability, CVE-2025-47907, was identified in the `database/sql` package. This issue involves incorrect results being returned from `Rows.Scan`. Cancelling a query during a call to the Scan method of the returned Rows can lead to a race condition, potentially overwriting expected results with those from another query if queries are made in parallel. This can cause Scan to return unexpected results or an error and is believed to affect most database/sql drivers.
- Description
- If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- Source
- security@golang.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
- Severity
- MEDIUM
- Hype score
- Not currently trending
Urgent: CVE-2025-47906 patched for #vgrep on #Fedora42. Impact: Critical. Can lead to arbitrary code execution. Read more: ๐ https://t.co/kfPxMJZtjE #Security https://t.co/vTSjcJSvur
@Cezar_H_Linux
1 Nov 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New security advisory for the #openSUSE community. The govulncheck-vulndb package has been updated to version 0.0.20250918T182144-1.1 to address two moderate-severity vulnerabilities (CVE-2025-47906 and CVE-2025-5187). Read more: ๐ https://t.co/zp5wXmNhTR #Security https://t.c
@Cezar_H_Linux
21 Sept 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: Patch Go 1.24 now! CVE-2025-47906 (CVSS 4.0) & CVE-2025-47907 (CVSS 7.0) impact 35+ SUSE distros (Leap/SLES/SAP/HPC). Exploits allow path hijacking & DB corruption. Read more:๐ https://t.co/7SlwnaLWqA #Security #SUSE https://t.co/4a7foJYyrP
@Cezar_H_Linux
12 Aug 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: @openSUSE Tumbleweed patches 2x Golang vulns (CVE-2025-47906/47907). Read more:๐https://t.co/bbjTRTCU56 #Security https://t.co/CkguvznurX
@Cezar_H_Linux
10 Aug 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐ Go 1.24.6 and 1.23.12 are released! ๐ Security: Includes security fixes for os/exec (CVE-2025-47906) and database/sql (CVE-2025-47907). ๐ข Announcement: https://t.co/o2LJKjXYvP โฌ๏ธ Download: https://t.co/ffHEmehO2d #golang https://t.co/4MF9a7DSL7
@golang
6 Aug 2025
17624 Impressions
84 Retweets
350 Likes
19 Bookmarks
0 Replies
2 Quotes