The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Metrics
Affected Vendors & Products
References
History
Wed, 06 Aug 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-73 | |
Metrics |
ssvc
|
Wed, 30 Jul 2025 12:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-74 | |
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
Wed, 30 Jul 2025 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Gotoolchain
Gotoolchain cmd/go |
|
Vendors & Products |
Gotoolchain
Gotoolchain cmd/go |
Tue, 29 Jul 2025 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected. | |
Title | Unexpected command execution in untrusted VCS repositories in cmd/go | |
References |
|

Status: PUBLISHED
Assigner: Go
Published: 2025-07-29T21:19:08.519Z
Updated: 2025-08-06T16:06:57.979Z
Reserved: 2025-05-13T23:31:07.620Z
Link: CVE-2025-4674

Updated: 2025-08-06T16:04:19.737Z

Status : Awaiting Analysis
Published: 2025-07-29T22:15:25.380
Modified: 2025-08-06T16:15:30.087
Link: CVE-2025-4674
