CVE-2025-47907

Published Aug 7, 2025

Last updated 7 months ago

CVSS high 7.0
Golang
Mysql

Overview

Description
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7
Impact score
4.7
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Severity
HIGH

Social media

Hype score
Not currently trending

  1. ๐Ÿ”ด Go Standard Library, Race Condition, #CVE-2025-47907 (High) https://t.co/efXsFGwUet

    @dailycve

    5 Jan 2026

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. URGENT: Patch Go 1.24 now! CVE-2025-47906 (CVSS 4.0) & CVE-2025-47907 (CVSS 7.0) impact 35+ SUSE distros (Leap/SLES/SAP/HPC). Exploits allow path hijacking & DB corruption. Read more:๐Ÿ‘‰ https://t.co/7SlwnaLWqA #Security #SUSE https://t.co/4a7foJYyrP

    @Cezar_H_Linux

    12 Aug 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ๐Ÿšจ ALERT: CVE-2025-47907 (CVSS 7.0) in Go 1.23 lets attackers corrupt database results. Patch #SUSE Linux, SAP, HPC systems IMMEDIATELY. Read more: ๐Ÿ‘‰ https://t.co/ddFLtCUsEz #Security https://t.co/PEZMaEQorZ

    @Cezar_H_Linux

    12 Aug 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-47907 Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected โ€ฆ https://t.co/jFQnxBPryZ

    @CVEnew

    7 Aug 2025

    162 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ๐ŸŒŸ Go 1.24.6 and 1.23.12 are released! ๐Ÿ”’ Security: Includes security fixes for os/exec (CVE-2025-47906) and database/sql (CVE-2025-47907). ๐Ÿ“ข Announcement: https://t.co/o2LJKjXYvP โฌ‡๏ธ Download: https://t.co/ffHEmehO2d #golang https://t.co/4MF9a7DSL7

    @golang

    6 Aug 2025

    17624 Impressions

    84 Retweets

    350 Likes

    19 Bookmarks

    0 Replies

    2 Quotes

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.โ€ขCVE-2025-68121
  2. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.โ€ขCVE-2025-61732
  3. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.โ€ขCVE-2025-22873
  4. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.โ€ขCVE-2025-68119
  5. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.โ€ขCVE-2025-61731

References

Sources include official advisories and independent security research.