{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4674", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2025-05-13T23:31:07.620Z", "datePublished": "2025-07-29T21:19:08.519Z", "dateUpdated": "2025-08-06T16:06:57.979Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-07-29T21:19:08.519Z"}, "title": "Unexpected command execution in untrusted VCS repositories in cmd/go", "descriptions": [{"lang": "en", "value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.23.11", "status": "affected", "versionType": "semver"}, {"version": "1.24.0-0", "lessThan": "1.24.5", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73: External Control of File Name or Path"}]}], "references": [{"url": "https://go.dev/cl/686515"}, {"url": "https://go.dev/issue/74380"}, {"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3828"}], "credits": [{"lang": "en", "value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "CWE-73 External Control of File Name or Path"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T16:03:21.628652Z", "id": "CVE-2025-4674", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T16:06:57.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-4674", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-06T16:03:21.628652Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T16:04:19.737Z"}}], "cna": {"title": "Unexpected command execution in untrusted VCS repositories in cmd/go", "credits": [{"lang": "en", "value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "versions": [{"status": "affected", "version": "0", "lessThan": "1.23.11", "versionType": "semver"}, {"status": "affected", "version": "1.24.0-0", "lessThan": "1.24.5", "versionType": "semver"}], "packageName": "cmd/go", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/686515"}, {"url": "https://go.dev/issue/74380"}, {"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3828"}], "descriptions": [{"lang": "en", "value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-07-29T21:19:08.519Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4674", "state": "PUBLISHED", "dateUpdated": "2025-08-06T16:06:57.979Z", "dateReserved": "2025-05-13T23:31:07.620Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2025-07-29T21:19:08.519Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."}, {"lang": "es", "value": "El comando \"go\" puede ejecutar comandos inesperados al operar en repositorios VCS no confiables. Esto ocurre cuando existe una configuraci\u00f3n de VCS potencialmente peligrosa en los repositorios. Esto puede ocurrir cuando un repositorio se obtuvo mediante un VCS (p. ej., Git), pero contiene metadatos para otro VCS (p. ej., Mercurial). Los m\u00f3dulos obtenidos mediante la l\u00ednea de comandos \"go get\" no se ven afectados."}], "id": "CVE-2025-4674", "lastModified": "2025-08-06T16:15:30.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-29T22:15:25.380", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/686515"}, {"source": "security@golang.org", "url": "https://go.dev/issue/74380"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2025-3828"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "cmd/go: Go VCS Command Execution Vulnerability", "id": "2384329", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-74", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-4674", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-29T21:19:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-4674\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-4674\nhttps://go.dev/cl/686515\nhttps://go.dev/issue/74380\nhttps://groups.google.com/g/golang-announce/c/gTNJnDXmn34\nhttps://pkg.go.dev/vuln/GO-2025-3828"], "threat_severity": "Important"}

{"created": "2025-07-30T11:10:22.635066+00:00", "updated": "2025-07-30T11:10:22.635143+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/go"]}