Mageia 9: MGASA-2025-0205 critical: GoLang code execution exploit
mageia
July 11, 2025
Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution
Summary
Various uses of the Go toolchain in untrusted VCS repositories can
result in unexpected code execution. When using the Go toolchain
in directories fetched using various VCS tools (such as directly
cloning Git or Mercurial repositories) can cause the toolchain to
execute unexpected commands, if said directory contains multiple
VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve
which VCS is being used in order to embed build information in binaries
and determine module versions.
References
- https://bugs.mageia.org/show_bug.cgi?id=34456
- https://www.openwall.com/lists/oss-security/2025/07/08/5
- https://github.com/golang/go/issues/74382
- https://www.cve.org/CVERecord?id=CVE-2025-4674
Topics Covered
Resolution
SRPMS
- 9/core/golang-1.24.5-1.mga9
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 11 Jul 2025
URL: https://advisories.mageia.org/MGASA-2025-0205.html
Type: security
CVE: CVE-2025-4674
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!