Skip to content

cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.23 backport] #74382

New issue
New issue
Closed
Closed
cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.23 backport]#74382
Labels
CherryPickApprovedUsed during the release process for point releasesSecurity
Milestone
Go1.23.11
@gopherbot

Description

@gopherbot
gopherbot
opened on Jun 25, 2025 · edited by cagedmantis
Contributor

@rolandshoemaker requested issue #74380 to be considered for backport to the next 1.23 minor release.

@gopherbot please open backport issues for this.

Various uses of the Go toolchain in untrusted VCS repositories can result in
unexpected code execution. When using the Go toolchain in directories fetched
using various VCS tools (such as directly cloning Git or Mercurial repositories)
can cause the toolchain to execute unexpected commands, if said directory
contains multiple VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve which VCS
is being used in order to embed build information in binaries and determine
module versions.

The toolchain will now abort attempting to resolve which VCS is being used if it
detects multiple VCS configuration metadata in a module directory or nested VCS
configuration metadata (such as a '.git' directoy in a parent directory and a
'.hg' directory in a child directory). This will not prevent the toolchain from
building modules, but will result in binaries omitting VCS related build
information.

If this behavior is expected by the user, the old behavior can be re-enabled by
setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
repositories.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
this issue.

This is CVE-2025-4674.

Activity

gopherbot
added
Security
CherryPickCandidateUsed during the release process for point releases
on Jun 25, 2025
gopherbot
mentioned this on Jun 25, 2025
gopherbot
added this to the Go1.24.5 milestone on Jun 25, 2025
rolandshoemaker
added
CherryPickApprovedUsed during the release process for point releases
and removed
CherryPickCandidateUsed during the release process for point releases
on Jul 1, 2025
gopherbot

gopherbot commented on Jul 8, 2025

@gopherbot
gopherbot
on Jul 8, 2025
ContributorAuthor

Change https://go.dev/cl/686337 mentions this issue: [release-branch.go1.23] cmd/go: disable support for multiple vcs in one module

gopherbot
added a commit that references this issue on Jul 8, 2025

[release-branch.go1.23] cmd/go: disable support for multiple vcs in o…

e9d2c03
gopherbot
modified the milestones: Go1.24.5, Go1.24.6 on Jul 8, 2025
cagedmantis
changed the title [-]security: fix CVE-2025-4674 [1.24 backport][/-] [+]cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.24 backport][/+] on Jul 8, 2025
cagedmantis
closed this as completedon Jul 8, 2025
cagedmantis
modified the milestones: Go1.24.6, Go1.24.5 on Jul 8, 2025
cagedmantis
changed the title [-]cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.24 backport][/-] [+]cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.23 backport][/+] on Jul 8, 2025
cagedmantis
modified the milestones: Go1.24.5, Go1.23.11 on Jul 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    CherryPickApprovedUsed during the release process for point releasesSecurity

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @cagedmantis@rolandshoemaker@gopherbot

        Issue actions
          cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 [1.23 backport] · Issue #74382 · golang/go