CVE-2025-47906 is a medium-severity vulnerability affecting the Go standard library's os/exec package, specifically the LookPath function. The vulnerability arises from a misinterpretation of input when the PATH environment variable contains executable files rather than just directories. Normally, PATH is expected to be a list of directories where executables reside, but if it includes actual executable files, passing certain special strings such as "", ".", or ".." to LookPath can cause it to return these binaries unexpectedly. This behavior deviates from the intended functionality, potentially leading to the execution of unintended binaries. The vulnerability is classified under CWE-115, which relates to improper handling or interpretation of input data. The affected versions include all Go versions up to and including 1.24.0. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), low confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could be exploited remotely without authentication or user interaction, but it requires the PATH environment variable to be manipulated to include executable files, which is an uncommon but plausible misconfiguration or attack vector. The issue could lead to unintended execution of binaries, potentially causing denial of service or information disclosure depending on the context in which LookPath is used.

For European organizations, this vulnerability poses a moderate risk particularly to those developing or deploying applications using the Go programming language, especially versions up to 1.24.0. Since Go is widely used in cloud-native applications, microservices, and infrastructure tooling, exploitation could lead to unexpected execution flows or denial of service conditions if an attacker can influence the PATH environment variable. This is more likely in multi-tenant or containerized environments where environment variables might be manipulated or inherited improperly. Confidentiality impact is low, but availability could be affected if critical services rely on os/exec LookPath for locating executables and are tricked into running unintended binaries. The lack of required privileges and user interaction increases the risk in automated or exposed environments. European organizations with critical infrastructure, cloud service providers, and software vendors using Go could face operational disruptions or require emergency patching once fixes are available. However, the absence of known exploits reduces immediate urgency but does not eliminate the need for proactive mitigation.

European organizations should audit their use of the Go os/exec package, especially the LookPath function, to identify if their applications or services are vulnerable. They should verify that the PATH environment variable is correctly configured to include only directories, not executable files, and implement environment hardening to prevent injection or manipulation of PATH by untrusted sources. Container and orchestration platforms should enforce strict environment variable policies to avoid accidental inclusion of executables in PATH. Developers should consider upgrading to Go versions beyond 1.24.0 once patches are released. In the interim, code reviews should ensure that LookPath is not called with potentially problematic inputs such as "", ".", or "..". Monitoring and alerting for unusual process executions or PATH modifications can help detect exploitation attempts. Additionally, organizations should isolate critical services and limit the exposure of environment variables to reduce attack surface. Incorporating these specific controls will help mitigate the risk beyond generic vulnerability management.