CVE-2025-47906

Published: Sep 18, 2025

Modified: Nov 4, 2025

PUBLISHED

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Vendor	Product	Versions
Go standard library	os/exec	affected `0 - < 1.23.12` affected `1.24.0 - < 1.24.6`

References

https://go.dev/cl/691775

https://go.dev/issue/74466

https://groups.google.com/g/golang-announce/c/x5MKroML2yM

https://pkg.go.dev/vuln/GO-2025-3956

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-47906

Description

Affected Products

References