Bug 2384329 (CVE-2025-4674)

Summary: CVE-2025-4674 cmd/go: Go VCS Command Execution Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, crizzo, dfreiber, drow, jburrell, kaycoth, ljawale, luizcosta, nweather, rbobbitt, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2384415, 2384416    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-29 22:01:18 UTC 
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Comment 3 errata-xmlrpc 2025-08-18 00:22:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:13939 https://access.redhat.com/errata/RHSA-2025:13939
Comment 4 errata-xmlrpc 2025-08-18 00:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:13936 https://access.redhat.com/errata/RHSA-2025:13936
Comment 5 errata-xmlrpc 2025-08-18 00:38:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:13941 https://access.redhat.com/errata/RHSA-2025:13941
Comment 6 errata-xmlrpc 2025-08-18 00:46:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:13940 https://access.redhat.com/errata/RHSA-2025:13940
Comment 7 errata-xmlrpc 2025-08-18 00:49:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:13935 https://access.redhat.com/errata/RHSA-2025:13935
Comment 8 errata-xmlrpc 2025-08-19 13:22:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14093 https://access.redhat.com/errata/RHSA-2025:14093