CVE-2025-47907

Published Aug 7, 2025

Last updated 2 months ago

CVSS high 7.0
Golang

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-47907 refers to a security vulnerability found in Go versions 1.24.6 and 1.23.12. This vulnerability is located in the `database/sql` package. Specifically, if a query is cancelled (e.g., by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows, it can lead to unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Description
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7
Impact score
4.7
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Severity
HIGH

Social media

Hype score
Not currently trending

  1. URGENT: Patch Go 1.24 now! CVE-2025-47906 (CVSS 4.0) & CVE-2025-47907 (CVSS 7.0) impact 35+ SUSE distros (Leap/SLES/SAP/HPC). Exploits allow path hijacking & DB corruption. Read more:๐Ÿ‘‰ https://t.co/7SlwnaLWqA #Security #SUSE https://t.co/4a7foJYyrP

    @Cezar_H_Linux

    12 Aug 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ๐Ÿšจ ALERT: CVE-2025-47907 (CVSS 7.0) in Go 1.23 lets attackers corrupt database results. Patch #SUSE Linux, SAP, HPC systems IMMEDIATELY. Read more: ๐Ÿ‘‰ https://t.co/ddFLtCUsEz #Security https://t.co/PEZMaEQorZ

    @Cezar_H_Linux

    12 Aug 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-47907 Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected โ€ฆ https://t.co/jFQnxBPryZ

    @CVEnew

    7 Aug 2025

    162 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ๐ŸŒŸ Go 1.24.6 and 1.23.12 are released! ๐Ÿ”’ Security: Includes security fixes for os/exec (CVE-2025-47906) and database/sql (CVE-2025-47907). ๐Ÿ“ข Announcement: https://t.co/o2LJKjXYvP โฌ‡๏ธ Download: https://t.co/ffHEmehO2d #golang https://t.co/4MF9a7DSL7

    @golang

    6 Aug 2025

    17624 Impressions

    84 Retweets

    350 Likes

    19 Bookmarks

    0 Replies

    2 Quotes

References

Sources include official advisories and independent security research.