Bug 2384329 (CVE-2025-4674) - CVE-2025-4674 cmd/go: Go VCS Command Execution Vulnerability
Summary: CVE-2025-4674 cmd/go: Go VCS Command Execution Vulnerability
Keywords:
Status: NEW
Alias: CVE-2025-4674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2384415 2384416
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-29 22:01 UTC by OSIDB Bzimport
Modified: 2025-08-19 13:23 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:13935 0 None None None 2025-08-18 00:49:33 UTC
Red Hat Product Errata RHSA-2025:13936 0 None None None 2025-08-18 00:27:42 UTC
Red Hat Product Errata RHSA-2025:13939 0 None None None 2025-08-18 00:22:09 UTC
Red Hat Product Errata RHSA-2025:13940 0 None None None 2025-08-18 00:46:28 UTC
Red Hat Product Errata RHSA-2025:13941 0 None None None 2025-08-18 00:38:36 UTC
Red Hat Product Errata RHSA-2025:14093 0 None None None 2025-08-19 13:23:00 UTC

Description OSIDB Bzimport 2025-07-29 22:01:18 UTC 
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Comment 3 errata-xmlrpc 2025-08-18 00:22:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:13939 https://access.redhat.com/errata/RHSA-2025:13939
Comment 4 errata-xmlrpc 2025-08-18 00:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:13936 https://access.redhat.com/errata/RHSA-2025:13936
Comment 5 errata-xmlrpc 2025-08-18 00:38:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:13941 https://access.redhat.com/errata/RHSA-2025:13941
Comment 6 errata-xmlrpc 2025-08-18 00:46:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:13940 https://access.redhat.com/errata/RHSA-2025:13940
Comment 7 errata-xmlrpc 2025-08-18 00:49:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:13935 https://access.redhat.com/errata/RHSA-2025:13935
Comment 8 errata-xmlrpc 2025-08-19 13:22:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14093 https://access.redhat.com/errata/RHSA-2025:14093
Note You need to log in before you can comment on or make changes to this bug.