GO-2025-3956

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3956

Import Source

https://vuln.go.dev/ID/GO-2025-3956.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2025-3956

Aliases

Published

2025-09-18T18:21:44Z

Modified

2025-09-20T09:27:03.678139Z

Summary

Unexpected paths returned from LookPath in os/exec

Details

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2025-3956",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23.12

Introduced

1.24.0

Fixed

1.24.6

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "LookPath"
            ],
            "path": "os/exec"
        }
    ]
}