- Description
- Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
- Source
- security@golang.org
- NVD status
- Analyzed
- Products
- go
CVSS 3.1
- Type
- Secondary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-787
- Hype score
- Not currently trending
π Lambda Watchdog detected that CVE-2025-68119 is no longer present in latest AWS Lambda base image scans. https://t.co/s2SthkEQ5S #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
23 Feb 2026
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π¨ New HIGH CVE detected in AWS Lambda π¨ CVE-2025-68119 impacts libcap in 20 Lambda base images. Details: https://t.co/s2SthkEQ5S More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
8 Feb 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A high severity code execution vulnerability (CVE-2025-68119) affects the Go toolchain. Update Go to 1.25.6 to mitigate risks in #development and #CI/CD environments. #golang https://t.co/TqivMABjjL
@pulsepatchio
1 Feb 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68119 Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non⦠https://t.co/oqUFl879de
@CVEnew
28 Jan 2026
161 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π₯³ Go 1.26 Release Candidate 2 is released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πββοΈ Run it in dev! Run it in prod! F
@golang
15 Jan 2026
22045 Impressions
52 Retweets
423 Likes
30 Bookmarks
4 Replies
2 Quotes
π Go 1.25.6 and 1.24.12 are released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). π£ Announcement: https://t.co/seVA1REoeH π¦ Do
@golang
15 Jan 2026
14651 Impressions
53 Retweets
279 Likes
26 Bookmarks
4 Replies
3 Quotes
A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.βββ£ββ£ββββββ£β£βββββ£ββ£β£
@_mattata
13 Jan 2026
327 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B",
"versionEndExcluding": "1.24.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE",
"versionEndExcluding": "1.25.6",
"versionStartIncluding": "1.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]