CVE-2025-4674 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the Go programming language toolchain, specifically the cmd/go command. The issue arises when cmd/go operates on repositories fetched from one version control system (VCS) but containing metadata from another VCS, for example, a Git-fetched repository containing Mercurial metadata. This discrepancy can cause cmd/go to execute unexpected commands or access unintended file paths, potentially leading to arbitrary code execution or manipulation of files. The vulnerability affects all Go versions up to 1.24.0-0 and is triggered when working with untrusted VCS repositories, but notably does not affect modules retrieved via the 'go get' command. The CVSS v3.1 score is 8.6 (high), with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker with local access and the ability to trick a user into interacting with a malicious repository can exploit this vulnerability to gain significant control over the system. No public exploits are known yet, but the vulnerability poses a serious risk to development environments and build pipelines that handle untrusted or mixed VCS repositories. The vulnerability was reserved in May 2025 and published in July 2025, with no patches currently linked, indicating that mitigation relies on cautious repository handling and upcoming updates from the Go project.

For European organizations, the impact of CVE-2025-4674 can be substantial, especially for those heavily reliant on Go for software development, continuous integration/continuous deployment (CI/CD) pipelines, and automated build systems. Exploitation could lead to unauthorized code execution, data leakage, or destruction of build artifacts, undermining software integrity and availability. This could disrupt development workflows, cause supply chain compromises, or introduce backdoors into software products. Organizations using untrusted or third-party VCS repositories are particularly vulnerable, as malicious actors could craft repositories with mixed VCS metadata to trigger the vulnerability. The confidentiality of proprietary source code and intellectual property could be compromised, and the integrity of software releases jeopardized. Additionally, availability of development environments and build servers could be impacted, causing operational delays. Given the high CVSS score and scope change, the vulnerability could also facilitate lateral movement within networks if exploited in shared development environments. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the risk remains high due to the ease of exploitation and significant potential impact.

1. Immediately restrict usage of untrusted or unknown VCS repositories, especially those fetched from one VCS but containing metadata from another. 2. Implement strict validation and sanitization of VCS metadata before allowing cmd/go operations on repositories. 3. Use isolated and sandboxed environments for building and testing code from untrusted sources to contain potential exploitation. 4. Monitor and audit repository metadata for inconsistencies or suspicious entries indicative of mixed VCS data. 5. Educate developers and DevOps teams about the risks of using mixed or untrusted repositories and the importance of verifying repository provenance. 6. Apply principle of least privilege to build and development environments to limit the impact of potential exploitation. 7. Track Go toolchain updates closely and apply patches as soon as they become available. 8. Consider using alternative methods or tools for fetching and managing dependencies that do not rely on cmd/go when dealing with untrusted repositories. 9. Integrate repository scanning tools into CI/CD pipelines to detect and block suspicious VCS metadata before build steps. 10. Maintain comprehensive backups of build environments and source code to enable rapid recovery in case of compromise.