Vulnerability Report: GO-2025-3828

  • CVE-2025-4674, CVE-2025-4674
  • Affects: cmd/go
  • Published: Jul 29, 2025

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Affected Packages

  • Path
    Versions
    Symbols
  • cmd/go
    before go1.23.11, from go1.24.0-0 before go1.24.5
    all symbols

Aliases

References

Credits

  • RyotaK (https://ryotak.net) of GMO Flatt Security Inc

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.