SecuriTricks - CVE-2025-68119

Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Product(s) Impacted

Vendor	Product	Versions
Golang	Go	*
Mercurial	Mercurial	*
Git	Git	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	golang	go	/	/	/	/	/	/	/	/
a	mercurial	mercurial	/	/	/	/	/	/	/	/
a	git	git	/	/	/	/	/	/	/	/

References

https://go.dev/cl/736710

https://go.dev/issue/77099

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

https://pkg.go.dev/vuln/GO-2026-4338

CVSS Score

7.0 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Jan. 28, 2026, 8:16 p.m.
Last Modified: Jan. 29, 2026, 5:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2025-68119