CVE-2025-47906

Unexpected paths returned from LookPath in os/exec

CVSS 6.5 MEDIUMEPSS 0.5%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

18 Sep 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected products

Go standard library · os/exec

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/691775 https://go.dev/issue/74466 https://groups.google.com/g/golang-announce/c/x5MKroML2yM https://pkg.go.dev/vuln/GO-2025-3956 http://www.openwall.com/lists/oss-security/2025/08/06/1