CVE-2025-47906

Unexpected paths returned from LookPath in os/exec

CVSS 6.5 MEDIUMEPSS 0.5%

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.5EPSS 0.5%KEV nãoPoC —Patch —

Ciclo de vida

18 sep 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Productos afectados

Go standard library · os/exec

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://go.dev/cl/691775 https://go.dev/issue/74466 https://groups.google.com/g/golang-announce/c/x5MKroML2yM https://pkg.go.dev/vuln/GO-2025-3956 http://www.openwall.com/lists/oss-security/2025/08/06/1