Description
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
References (5)
Core 5
Core References
Patch
https://go.dev/cl/686515
Issue Tracking, Third Party Advisory
https://go.dev/issue/74380
Mailing List, Release Notes
https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
Vendor Advisory
https://pkg.go.dev/vuln/GO-2025-3828
Mailing List, Release Notes
http://www.openwall.com/lists/oss-security/2025/07/08/5
Scores
CVSS v3
8.6
EPSS
0.0026
EPSS Percentile
16.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-73
Status
published
Products (1)
golang/go
< 1.23.11
Published
Jul 29, 2025
Tracked Since
Feb 18, 2026