data/reports: add GO-2025-3956

neild · gopherbot · commit 5032ebc6646b · 2025-09-18T11:21:44.000-07:00
- data/reports/GO-2025-3956.yaml Updates #3956 Change-Id: I73806d492e9bdff12bda0fee09ad540916c058f1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/704476 Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/cve/v5/GO-2025-3956.json b/data/cve/v5/GO-2025-3956.json
@@ -0,0 +1,73 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2025-47906"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "Unexpected paths returned from LookPath in os/exec",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "Go standard library",
+          "product": "os/exec",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "os/exec",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.23.12",
+              "status": "affected",
+              "versionType": "semver"
+            },
+            {
+              "version": "1.24.0",
+              "lessThan": "1.24.6",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "LookPath"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-115: Misinterpretation of Input"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/cl/691775"
+        },
+        {
+          "url": "https://go.dev/issue/74466"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2025-3956"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2025-3956.json b/data/osv/GO-2025-3956.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3956",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-47906",
+    "CVE-2025-47906"
+  ],
+  "summary": "Unexpected paths returned from LookPath in os/exec",
+  "details": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
+  "affected": [
+    {
+      "package": {
+        "name": "stdlib",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.23.12"
+            },
+            {
+              "introduced": "1.24.0"
+            },
+            {
+              "fixed": "1.24.6"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "os/exec",
+            "symbols": [
+              "LookPath"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/691775"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/74466"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3956",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-3956.yaml b/data/reports/GO-2025-3956.yaml
@@ -0,0 +1,31 @@
+id: GO-2025-3956
+modules:
+    - module: std
+      versions:
+        - fixed: 1.23.12
+        - introduced: 1.24.0
+        - fixed: 1.24.6
+      vulnerable_at: 1.24.5
+      packages:
+        - package: os/exec
+          symbols:
+            - LookPath
+summary: Unexpected paths returned from LookPath in os/exec
+description: |-
+    If the PATH environment variable contains paths which are executables
+    (rather than just directories), passing certain strings to LookPath
+    ("", ".", and ".."), can result in the binaries listed in the PATH
+    being unexpectedly returned.
+cves:
+    - CVE-2025-47906
+references:
+    - fix: https://go.dev/cl/691775
+    - report: https://go.dev/issue/74466
+    - web: https://groups.google.com/g/golang-announce/c/x5MKroML2yM
+cve_metadata:
+    id: CVE-2025-47906
+    cwe: 'CWE-115: Misinterpretation of Input'
+source:
+    id: go-security-team
+    created: 2025-09-16T14:01:40.614642-07:00
+review_status: REVIEWED
