{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47906", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2025-05-13T23:31:29.596Z", "datePublished": "2025-09-18T18:41:11.847Z", "dateUpdated": "2025-09-18T20:42:38.389Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-09-18T18:41:11.847Z"}, "title": "Unexpected paths returned from LookPath in os/exec", "descriptions": [{"lang": "en", "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."}], "affected": [{"vendor": "Go standard library", "product": "os/exec", "collectionURL": "https://pkg.go.dev", "packageName": "os/exec", "versions": [{"version": "0", "lessThan": "1.23.12", "status": "affected", "versionType": "semver"}, {"version": "1.24.0", "lessThan": "1.24.6", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "LookPath"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-115: Misinterpretation of Input"}]}], "references": [{"url": "https://go.dev/cl/691775"}, {"url": "https://go.dev/issue/74466"}, {"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3956"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-18T20:42:17.936162Z", "id": "CVE-2025-47906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T20:42:38.389Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-47906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-18T20:42:17.936162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T20:42:34.381Z"}}], "cna": {"title": "Unexpected paths returned from LookPath in os/exec", "affected": [{"vendor": "Go standard library", "product": "os/exec", "versions": [{"status": "affected", "version": "0", "lessThan": "1.23.12", "versionType": "semver"}, {"status": "affected", "version": "1.24.0", "lessThan": "1.24.6", "versionType": "semver"}], "packageName": "os/exec", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "LookPath"}]}], "references": [{"url": "https://go.dev/cl/691775"}, {"url": "https://go.dev/issue/74466"}, {"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3956"}], "descriptions": [{"lang": "en", "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-115: Misinterpretation of Input"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-09-18T18:41:11.847Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47906", "state": "PUBLISHED", "dateUpdated": "2025-09-18T20:42:38.389Z", "dateReserved": "2025-05-13T23:31:29.596Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2025-09-18T18:41:11.847Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."}], "id": "CVE-2025-47906", "lastModified": "2025-09-18T21:15:47.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-18T19:15:37.660", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/691775"}, {"source": "security@golang.org", "url": "https://go.dev/issue/74466"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2025-3956"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Received"}

{}

{}