CVE-2025-47906
Unexpected paths returned from LookPath in os/exec
6.5
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
How to fix CVE-2025-47906
To remediate CVE-2025-47906, upgrade the affected package to a fixed version below.
- —upgrade to 1.23.12 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 1.23.12 or later
Is CVE-2025-47906 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 1.23.12, >= 1.24.0, < 1.24.6
- from 0
- from 0
- from 0
- from 0, < 1.23.12, >= 1.24.0, < 1.24.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |