AZL-66101

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66101.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-66101

Upstream

CVE-2025-4674

Published

2025-07-29T22:15:25Z

Modified

2026-04-01T05:20:42.011338Z

Summary

CVE-2025-4674 affecting package golang for versions less than 1.22.7-5

Details

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4674

Affected packages

Azure Linux:2 / golang

Package

Name: golang
Purl: pkg:rpm/azure-linux/golang

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.19.0

Fixed

1.22.7-5

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66101.json"