DEBIAN-CVE-2025-47906

DEBIAN-CVE-2025-47906 PUBLISHED CVSS 6.5 MEDIUM

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected Products

Vendor	Product	Versions
Debian:12	golang-1.19	1.19.10-1, 1.19.10-2, 1.19.12-2
Debian:13	golang-1.24	1.24.9-1, 0, 1.24.12-1
Debian:11	golang-1.15	1.15.15-1~deb11u1, 1.15.15-1~deb11u2, 1.15.15-1~deb11u4

Timeline

Sep 18, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-47906 advisory

Open in Interactive Console →