CVE-2025-47906
Published: August 9, 2025Last modified: August 21, 2025
Description
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | NONE |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | go | Fixed (1.23.12-r0) |
| 25 LTS | go | Fixed (1.24.6-r0) | |
| Stream | go | Fixed (1.24.6-r0) | |
| Hardened Containers | 23 LTS | go | Fixed (1.23.12-r0) |
| Stream | go | Fixed (1.24.6-r0) |