CVE-2025-47906 is a vulnerability identified in the Go programming language's standard library, specifically within the os/exec package's LookPath function. LookPath is designed to locate an executable binary in the directories listed in the PATH environment variable. The issue arises when the PATH variable contains entries that are executable files themselves rather than directories, which is an uncommon but possible misconfiguration. When certain inputs such as an empty string (""), a single dot ("."), or double dots ("..") are passed to LookPath, the function can mistakenly return binaries listed directly in the PATH instead of searching directories as intended. This behavior is classified under CWE-115, indicating a misinterpretation of input leading to unexpected behavior. The vulnerability affects all Go versions from the initial release up to version 1.24.0. Exploitation does not require any privileges or user interaction, and the attack vector is network-based, meaning remote exploitation is possible if the vulnerable function is exposed. The impact includes potential confidentiality loss if unintended binaries are executed and availability issues if malicious or unintended binaries disrupt normal operations. No patches or fixes are currently linked, and no exploits have been observed in the wild. However, the vulnerability poses a risk in environments where PATH variables might be manipulated or improperly set, such as automated build systems, containerized environments, or CI/CD pipelines using Go tooling.

For European organizations, the vulnerability could lead to unintended execution of binaries, which may cause data leakage or service disruption. This is particularly concerning for organizations relying heavily on Go for critical infrastructure, cloud services, or software development. Misconfigured PATH variables in development or production environments could be exploited to execute malicious code or disrupt services, impacting confidentiality and availability. The medium CVSS score (6.5) reflects moderate risk, but the lack of required privileges or user interaction increases the likelihood of exploitation in automated or unattended systems. Organizations in sectors such as finance, telecommunications, and government services, where Go is used extensively, may face operational risks if this vulnerability is exploited. Additionally, supply chain attacks targeting Go-based build environments could leverage this flaw to introduce malicious binaries. Overall, the impact is moderate but could escalate if combined with other vulnerabilities or misconfigurations.

European organizations should immediately audit their PATH environment variables to ensure they contain only directories and not executable files. Developers and system administrators should update Go to versions beyond 1.24.0 once patches are released. Until patches are available, avoid passing empty strings or dot-related inputs to LookPath in custom code. Implement strict environment sanitation in CI/CD pipelines and container environments to prevent PATH pollution. Use container security best practices to limit executable paths and employ runtime monitoring to detect unexpected binary executions. Additionally, conduct code reviews focusing on the use of os/exec and LookPath to identify and remediate unsafe usage patterns. Employ application whitelisting and integrity monitoring to detect unauthorized binaries. Finally, maintain awareness of updates from the Go project regarding patches or workarounds.