Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

INFO

Published Date :

2025-07-29T21:19:08.519Z

Last Modified :

2025-11-04T21:10:50.871Z

Source :

Go
AFFECTED PRODUCTS

The following products are affected by CVE-2025-4674 vulnerability.

Vendors Products
Golang
  • Go
Gotoolchain
  • Cmd/go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-4674.

URL Resource
http://www.openwall.com/lists/oss-security/2025/07/08/5 cve-icon
https://go.dev/cl/686515 cve-icon cve-icon cve-icon
https://go.dev/issue/74380 cve-icon cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-4674 cve-icon
https://pkg.go.dev/vuln/GO-2025-3828 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-4674 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact