CVEFinder.io

CVE-2025-68119

⚠️ high
Summary

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker

Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

CVSS Score
7.0
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-01-28
First Seen: 2026-01-29
Last Modified 2026-02-06
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-787

🔗 References 4

https://go.dev/cl/736710
Patch
https://go.dev/issue/77099
Issue Tracking Patch
https://groups.google.com/g/golang-announce/c/Vd2tYV...
Release Notes Mailing List
https://pkg.go.dev/vuln/GO-2026-4338
Vendor Advisory

📦 Affected Products 2

Vendor Product Status Affected Versions
golang go Affected
< 1.24.12
golang go Affected
> 1.25.0 < 1.25.6

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-61726 ⚠️ high 7.5 0.0 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p... 2026-01-28
CVE-2025-61728 🔶 medium 6.5 0.0 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is open... 2026-01-28
CVE-2025-61730 🔶 medium 5.3 0.0 During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instanc... 2026-01-28
CVE-2025-61731 ⚠️ high 7.8 0.0 Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of... 2026-01-28
CVE-2025-61727 🔶 medium 6.5 0.0 An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certifi... 2025-12-03
CVE-2025-61729 ⚠️ high 7.5 0.0 Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be p... 2025-12-02
These CVEs affect the same products