CVE-2025-4674
July 29, 2025, 10:15 p.m.
None
No Score
Description
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Golang |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | golang | golang | / | / | / | / | / | / | / | / |
Tags
Timeline
Published: July 29, 2025, 10:15 p.m.
Last Modified: July 29, 2025, 10:15 p.m.
Last Modified: July 29, 2025, 10:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@golang.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.