CVE-2025-47906

Unexpected paths returned from LookPath in os/exec

CVSS 6.5 MEDIUMEPSS 0.5%

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Produtos afetados

Go standard library · os/exec

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://go.dev/cl/691775 https://go.dev/issue/74466 https://groups.google.com/g/golang-announce/c/x5MKroML2yM https://pkg.go.dev/vuln/GO-2025-3956 http://www.openwall.com/lists/oss-security/2025/08/06/1