Skip to content

Security [Unknown] CVE-2025-4674 #97

New issue
New issue
Open
Open
Security [Unknown] CVE-2025-4674#97
Labels
vulnerability
@upbound-bot

Description

@upbound-bot
upbound-bot
opened on Jul 31, 2025

Vulnerability Details

  • ID: CVE-2025-4674
  • Severity: Unknown
  • Affected Provider Version: ['v2.2.1', 'v2.1.3']
  • Package: stdlib
  • Package Version: go1.23.10
  • Type: go-module
  • Description: The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
  • Fix State: fixed
  • Fix Versions: 1.23.11, 1.24.5
  • Artifact Paths: /usr/local/bin/provider
  • More Info: https://go.dev/cl/686515, https://go.dev/issue/74380, https://groups.google.com/g/golang-announce/c/gTNJnDXmn34, https://pkg.go.dev/vuln/GO-2025-3828

This vulnerability was detected during the periodic CVE scan.

Metadata

Metadata

Assignees

No one assigned

    Labels

    vulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions