| Name | CVE-2025-47906 |
| Description | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1110947, 1110948 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-1.15 (PTS) | bullseye | 1.15.15-1~deb11u4 | vulnerable |
| golang-1.19 (PTS) | bookworm | 1.19.8-2 | vulnerable |
| golang-1.23 (PTS) | sid | 1.23.10-1 | vulnerable |
| golang-1.24 (PTS) | trixie | 1.24.4-1 | vulnerable |
| forky, sid | 1.24.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-1.15 | source | (unstable) | (unfixed) | |||
| golang-1.19 | source | (unstable) | (unfixed) | |||
| golang-1.23 | source | (unstable) | (unfixed) | 1110948 | ||
| golang-1.24 | source | (unstable) | 1.24.7-1 | 1110947 |
[trixie] - golang-1.24 <no-dsa> (Minor issue)
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.15 <postponed> (Minor issue)
https://groups.google.com/g/golang-announce/c/x5MKroML2yM/m/5_v-oMjUAgAJ
https://github.com/golang/go/issues/74466
https://github.com/golang/go/commit/0f5133b742bf61cda6c98b4cd1d313a330f13f32 (go1.24.6)
https://github.com/golang/go/commit/8fa31a2d7d9e60c50a3a94080c097b6e65773f4b (go1.23.12)