CVE-2025-47907

Incorrect results returned from Rows.Scan in database/sql

CVSS 7 HIGHEPSS 0.3%

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

07 Aug 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected products

Go standard library · database/sql

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/693735 https://go.dev/issue/74831 https://groups.google.com/g/golang-announce/c/x5MKroML2yM https://pkg.go.dev/vuln/GO-2025-3849 http://www.openwall.com/lists/oss-security/2025/08/06/1