2434438 – (CVE-2025-68119) CVE-2025-68119 cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings

Bug 2434438 (CVE-2025-68119) - CVE-2025-68119 cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings

Summary: CVE-2025-68119 cmd/go: cmd/go: Local code execution and arbitrary file write ...

Keywords:
Status:	NEW
Alias:	CVE-2025-68119
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2436726 2436727
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-28 20:02 UTC by OSIDB Bzimport
Modified:	2026-02-05 11:51 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-28 20:02:19 UTC

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Note You need to log in before you can comment on or make changes to this bug.