CVE-2025-47906

Published Sep 18, 2025

Last updated 2 months ago

CVSS medium 6.5
Golang

Overview

Description
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
2.5
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-Other

Social media

Hype score
Not currently trending

  1. ๐Ÿšจ CRITICAL UPDATE for #GoLang devs using Google Wire for DI. CVE-2025-47906 allows command execution hijack via os/exec.LookPath. #Fedora 42 patch is live (v0.6.0-14). Read more: ๐Ÿ‘‰ https://t.co/OxekHJJTov #Security https://t.co/Vgzr4AryTa

    @Cezar_H_Linux

    1 Jan 2026

    92 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  2. Just published: An in-depth analysis of the critical #Fedora Delve debugger vulnerability (FEDORA-2025-3591ae9dd3 / CVE-2025-47906). Read more: ๐Ÿ‘‰ https://t.co/5RWPjULTJJ #Security https://t.co/S6U8MHQ3qE

    @Cezar_H_Linux

    1 Jan 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. A security vulnerability in delve (go-toolset:rhel8) is addressed by CVE-2025-47906. Update to version 0:1.7.2-1 or later to mitigate. https://t.co/plsqUO67eW

    @pulsepatchio

    23 Dec 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Urgent: CVE-2025-47906 patched for #vgrep on #Fedora42. Impact: Critical. Can lead to arbitrary code execution. Read more: ๐Ÿ‘‰ https://t.co/kfPxMJZtjE #Security https://t.co/vTSjcJSvur

    @Cezar_H_Linux

    1 Nov 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New security advisory for the #openSUSE community. The govulncheck-vulndb package has been updated to version 0.0.20250918T182144-1.1 to address two moderate-severity vulnerabilities (CVE-2025-47906 and CVE-2025-5187). Read more: ๐Ÿ‘‰ https://t.co/zp5wXmNhTR #Security https://t.c

    @Cezar_H_Linux

    21 Sept 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. URGENT: Patch Go 1.24 now! CVE-2025-47906 (CVSS 4.0) & CVE-2025-47907 (CVSS 7.0) impact 35+ SUSE distros (Leap/SLES/SAP/HPC). Exploits allow path hijacking & DB corruption. Read more:๐Ÿ‘‰ https://t.co/7SlwnaLWqA #Security #SUSE https://t.co/4a7foJYyrP

    @Cezar_H_Linux

    12 Aug 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. URGENT: @openSUSE Tumbleweed patches 2x Golang vulns (CVE-2025-47906/47907). Read more:๐Ÿ‘‰https://t.co/bbjTRTCU56 #Security https://t.co/CkguvznurX

    @Cezar_H_Linux

    10 Aug 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ๐ŸŒŸ Go 1.24.6 and 1.23.12 are released! ๐Ÿ”’ Security: Includes security fixes for os/exec (CVE-2025-47906) and database/sql (CVE-2025-47907). ๐Ÿ“ข Announcement: https://t.co/o2LJKjXYvP โฌ‡๏ธ Download: https://t.co/ffHEmehO2d #golang https://t.co/4MF9a7DSL7

    @golang

    6 Aug 2025

    17624 Impressions

    84 Retweets

    350 Likes

    19 Bookmarks

    0 Replies

    2 Quotes

Configurations

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.โ€ขCVE-2025-68121
  2. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.โ€ขCVE-2025-61732
  3. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.โ€ขCVE-2025-22873
  4. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.โ€ขCVE-2025-68119
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.โ€ขCVE-2025-61731

References

Sources include official advisories and independent security research.