VDB
DEBIAN-CVE-2025-4674
DEBIAN-CVE-2025-4674
PUBLISHED
CVSS 8.600000381469727 HIGH
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Risk Scores
CVSS 3.1
8.600000381469727
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | golang-1.15 | 0, 1.15.15-1, 1.15.15-1~deb11u1 |
| Debian:12 | golang-1.19 | 1.19.13-1, 1.19.8-2, 1.19.9-1 |
| Debian:13 | golang-1.24 | 0, 1.24.13-1, 1.24.4-1 |
Timeline
- Jul 29, 2025 CVE Published
- Apr 28, 2026 CVE Updated