CVE-2025-4674 is a vulnerability identified in the Go programming language toolchain, specifically within the 'cmd/go' command. The issue arises when the 'go' command operates in untrusted version control system (VCS) repositories that contain potentially dangerous or conflicting VCS metadata. This situation can occur when a repository is fetched using one VCS (for example, Git) but includes metadata from another VCS (such as Mercurial). The vulnerability is categorized under CWE-73, which pertains to External Control of File Name or Path. This means that the 'go' command may inadvertently execute unexpected commands or processes due to manipulation of file names or paths derived from the repository's metadata. Importantly, modules retrieved via the 'go get' command line interface are not affected by this vulnerability. The affected versions include all Go toolchain versions up to and including 1.24.0-0. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on July 29, 2025, and was reserved earlier in May 2025. The lack of a patch link suggests that a fix may still be pending or not publicly disclosed at the time of this report.

For European organizations, this vulnerability poses a risk primarily to development environments and continuous integration/continuous deployment (CI/CD) pipelines that utilize the Go toolchain and interact with untrusted or mixed VCS repositories. Exploitation could lead to execution of unintended commands, potentially allowing attackers to execute arbitrary code, manipulate build processes, or introduce malicious artifacts into software builds. This can compromise the integrity of software products, leading to supply chain attacks or insertion of backdoors. Confidentiality could also be impacted if sensitive build environment information is exposed or exfiltrated. Availability risks exist if the build process is disrupted or corrupted. Given the widespread adoption of Go in cloud-native applications, microservices, and infrastructure tooling across Europe, organizations relying on Go for critical software development could face significant operational and reputational damage. However, since exploitation requires the presence of untrusted repositories with conflicting VCS metadata, the attack surface is somewhat limited to scenarios involving third-party or externally sourced code repositories.

European organizations should implement strict controls on the provenance and integrity of VCS repositories used in their development workflows. Specifically, they should: 1) Avoid using untrusted or mixed VCS repositories in Go build environments; 2) Enforce repository validation and sanitization steps to detect and remove conflicting or suspicious VCS metadata before invoking 'cmd/go'; 3) Restrict developer and CI/CD pipeline permissions to prevent automatic fetching or building from unverified repositories; 4) Monitor and audit build logs for unexpected command executions or anomalies; 5) Update to the latest Go toolchain versions once patches addressing CVE-2025-4674 are released; 6) Consider isolating build environments using containerization or sandboxing to limit potential impact of exploitation; 7) Educate developers and DevOps teams about the risks of using repositories with mixed VCS metadata and encourage best practices in dependency management.