Skip to content

Security [High] CVE-2025-4674 #251

New issue
New issue
Open
Open
Security [High] CVE-2025-4674#251
@upbound-bot

Description

@upbound-bot
upbound-bot
opened on Aug 18, 2025

Vulnerability Details

  • ID: CVE-2025-4674
  • Severity: High
  • Affected Provider Version: ['v0.9.0', 'v0.8.2']
  • Package: stdlib
  • Package Version: go1.23.8
  • Type: go-module
  • Description: The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
  • Fix State: fixed
  • Fix Versions: 1.23.11, 1.24.5
  • Artifact Paths: /function
  • More Info: https://go.dev/cl/686515, https://go.dev/issue/74380, https://groups.google.com/g/golang-announce/c/gTNJnDXmn34, https://pkg.go.dev/vuln/GO-2025-3828

This vulnerability was detected during the periodic CVE scan.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions