CVE-2025-4674: Go Command Vulnerable to Unexpected Command Execution in Untrusted VCS Repositories

Welcome back to the blog! Today, we're diving into CVE-2025-4674, a vulnerability affecting the Go programming language's `go` command. This flaw can lead to unexpected command execution when the `go` command interacts with untrusted Version Control System (VCS) repositories. Let's break it down.

🔍 TL;DR Summary

The `go` command in Go is susceptible to executing unintended commands when working with potentially malicious VCS repositories. This occurs if the repository contains conflicting metadata from different VCS systems (e.g., a Git repository with Mercurial metadata). While `go get` is not affected, direct command-line operations could be exploited.

🚨 Vulnerability Details

• CVE ID: CVE-2025-4674
• Description: The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
• CVSS Score: We don't have the exact score yet, but given the potential for command execution, expect a score in the Medium to High range.
• CVSS Vector: Vector information is not available but would reflect the ability to remotely trigger command execution with low privileges. We'll update this once it becomes available.
• Exploit Requirements: An attacker would need to create a malicious VCS repository with conflicting metadata and entice a user to interact with it using the `go` command directly (not through `go get`).
• Affected Vendor: Go
• Affected Product: go command
• Affected Version: All versions prior to the fix. Check official Go security advisories for details.
• CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection'). This means that the application is not properly sanitizing or validating user-supplied input before using it to construct a system command, allowing an attacker to inject arbitrary commands.

📅 Timeline of Events

• 2025-07-29: CVE ID assigned and vulnerability details published.
• Unknown: Vulnerability reported to the Go security team.
• Unknown: Patch developed and released.

🧠 Exploitability & Real-World Risk

The exploitability hinges on tricking a developer or system to interact with a crafted malicious repository. While `go get` is not affected, other `go` command uses could be. In a CI/CD environment where repositories are routinely checked out, this could pose a significant risk. A successful exploit could lead to arbitrary code execution on the affected system, potentially leading to data exfiltration, system compromise, or denial of service.

🛠️ Recommendations

• Update Go: Ensure you're running the latest version of Go with the necessary patches.
• Verify Repository Integrity: Be cautious when working with VCS repositories from untrusted sources.
• Use `go get` When Possible: The `go get` command is reportedly not affected by this vulnerability, making it the safer option.
• Monitor System Activity: Keep an eye on system logs for any unusual command executions or behavior.

🧪 Technical Insight

The vulnerability arises because the `go` command attempts to automatically detect and interact with different VCS systems. When a repository contains metadata indicating multiple VCS systems are in use, the `go` command might unintentionally execute commands related to the "wrong" VCS, leading to command injection if that metadata is maliciously crafted.

🙌 Credit to Researcher(s)

The specific researcher(s) credited with discovering this vulnerability are not explicitly mentioned in the provided data, but the Go security team likely coordinated the fix.

🔗 References

• Go Change List
• Go Issue Tracker
• Golang Announce Group
• Go Vulnerability Database

🧵 Tags

#CVE-2025-4674 #Go #VCS #Git #Mercurial #Security #CommandInjection

Summary: CVE-2025-4674 describes a vulnerability in the Go command that allows for unexpected command execution when operating within untrusted VCS repositories. This flaw occurs when a repository contains conflicting metadata from multiple VCS systems, such as Git and Mercurial. While the `go get` command is not affected, direct command-line operations could be exploited by a malicious repository.

CVE ID: CVE-2025-4674

Risk Analysis: Successful exploitation could lead to arbitrary code execution on the affected system, potentially allowing the attacker to compromise the system, steal sensitive information, or disrupt services. The risk is higher in environments where repositories from untrusted sources are frequently used.

Recommendation: Update to the latest version of Go with the necessary patches. Exercise caution when working with VCS repositories from untrusted sources. Prefer using `go get` whenever possible, as it is not affected by this vulnerability. Monitor system activity for unusual command executions.

Timeline

• 2025-07-29: CVE ID assigned and vulnerability details published.

References

• https://go.dev/cl/686515
• https://go.dev/issue/74380
• https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
• https://pkg.go.dev/vuln/GO-2025-3828