CVE-2025-68119

Published: Jan 28, 2026

Modified: Feb 26, 2026

PUBLISHED

Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Vendor	Product	Versions
Go toolchain	cmd/go	affected `1.25.0 - < 1.25.6`

References

https://go.dev/cl/736710

https://go.dev/issue/77099

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

https://pkg.go.dev/vuln/GO-2026-4338

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-68119

Description

Affected Products

References