Bug 2387083 (CVE-2025-47907) - CVE-2025-47907 database/sql: Postgres Scan Race Condition
Summary: CVE-2025-47907 database/sql: Postgres Scan Race Condition
Keywords:
Status: NEW
Alias: CVE-2025-47907
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2397303 2397304 2397305 2397301 2397302
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-07 16:01 UTC by OSIDB Bzimport
Modified: 2025-09-24 03:37 UTC (History)
148 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-07 16:01:33 UTC 
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Comment 4 Tom Sweeney 2025-09-22 18:05:52 UTC 
As noted in this issue in Go and its follow on links: https://github.com/golang/go/issues/74831

This appears to be addressed in Go v1.23.12, v1.24.7, and v1.25.0 and higher.
Note You need to log in before you can comment on or make changes to this bug.