VYPR
Unrated severityNVD Advisory· Published Jul 29, 2025· Updated Nov 4, 2025

Unexpected command execution in untrusted VCS repositories in cmd/go

CVE-2025-4674

Description

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

121

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.