CVE-2025-47907

NameCVE-2025-47907
DescriptionCancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110949, 1110950

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4vulnerable
golang-1.19 (PTS)bookworm1.19.8-2vulnerable
golang-1.24 (PTS)trixie1.24.4-1vulnerable
forky, sid1.24.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.15source(unstable)(unfixed)
golang-1.19source(unstable)(unfixed)
golang-1.23source(unstable)(unfixed)1110950
golang-1.24source(unstable)1.24.7-11110949

Notes

[trixie] - golang-1.24 <no-dsa> (Minor issue)
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://groups.google.com/g/golang-announce/c/x5MKroML2yM/m/5_v-oMjUAgAJ
https://github.com/golang/go/issues/74831
https://github.com/golang/go/commit/83b4a5db240960720e51b7d5a6da1f399bd868ee (go1.24.6)
https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9 (go1.23.12)
Search for package or bug name: Reporting problems