Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

INFO

Published Date :

2026-01-28T19:30:30.704Z

Last Modified :

2026-02-26T15:04:45.665Z

Source :

Go
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68119 vulnerability.

Vendors Products
Golang
  • Go
Gotoolchain
  • Cmd/go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68119.

URL Resource
https://go.dev/cl/736710 cve-icon cve-icon cve-icon
https://go.dev/issue/77099 cve-icon cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-68119 cve-icon
https://pkg.go.dev/vuln/GO-2026-4338 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-68119 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact