CVE-2025-4674HIGH 8.6EPSS p16.6%

CVE-2025-4674CVE-2025-4674

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 16.6% · 2026-06-19T12:03:05Z
Published2025-07-29
Last modified2026-01-29

Underlying weaknesses· 1

CWE-73

References

  1. https://go.dev/cl/686515
  2. https://go.dev/issue/74380
  3. https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
  4. https://pkg.go.dev/vuln/GO-2025-3828
  5. http://www.openwall.com/lists/oss-security/2025/07/08/5

1

TypeTargetConfidenceTier
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45570
CVE
CVE-2026-45571
CVE
CVE-2025-61732
CVE
CVE-2025-21613
CVE
CVE-2026-45022
CVE
CVE-2025-48938
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.