Alpaquita LinuxStreamSecurity Advisory
Search Cve

CVE-2025-4674

Published: July 18, 2025Last modified: August 21, 2025

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

Severity score breakdown

ParameterValue
Base score8.6
Attack VectorLOCAL
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeCHANGED
ConfidentialityHIGH
Integrity impactHIGH
Availability impactHIGH
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSgoFixed (1.23.11-r0)
25 LTSgoFixed (1.24.6-r0)
StreamgoFixed (1.24.5-r0)
Hardened Containers23 LTSgoFixed (1.23.11-r0)
StreamgoFixed (1.24.5-r0)

References

ON THIS PAGE