CVE-2025-68119
HIGH EPSS 25.4%
Published Jan 28, 20265mo ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
Published Jan 28, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago
Description
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
25.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 2
References 4
- go.dev https://go.dev/cl/736710
- go.dev https://go.dev/issue/77099
- groups.google.com https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- pkg.go.dev https://pkg.go.dev/vuln/GO-2026-4338