CVE-2025-4674

8.6 HIGH

Published: July 29, 2025 Modified: November 04, 2025

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://go.dev/cl/686515

Source: security@golang.org

https://go.dev/issue/74380

Source: security@golang.org

https://groups.google.com/g/golang-announce/c/gTNJnDXmn34

Source: security@golang.org

https://pkg.go.dev/vuln/GO-2025-3828

Source: security@golang.org

http://www.openwall.com/lists/oss-security/2025/07/08/5

Source: af854a3a-2127-422b-91ae-364da2661108

5 reference(s) from NVD

Quick Stats

CVSS v3 Score

8.6 / 10.0

EPSS (Exploit Probability)

0.0%

0th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-73

Related CVEs

CVE-2025-69261 N/A

CVE-2025-69257 6.7

CVE-2025-69210 N/A

CVE-2025-66823 N/A

CVE-2025-50343 N/A