Vulnerability Report: GO-2025-3956

CVE-2025-47906, CVE-2025-47906
Affects: os/exec
Published: Sep 18, 2025

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected Packages

Path

Versions

Symbols
os/exec

before go1.23.12, from go1.24.0 before go1.24.6
- LookPath

Aliases

CVE-2025-47906
CVE-2025-47906

References

https://go.dev/cl/691775
https://go.dev/issue/74466
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
https://vuln.go.dev/ID/GO-2025-3956.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL