CVE-2025-47906 – This vulnerability in Go's LookPath function al... (How to Fix)

Q: What is the severity of CVE-2025-47906?

CVE-2025-47906 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Go's LookPath function allows unexpected binary execution when PATH contains executable files instead of directories. Attackers could trick applications into running malicious binaries by manipulating PATH entries. Affects Go programs that use LookPath with user-controlled input.

📋 TL;DR

This vulnerability in Go's LookPath function allows unexpected binary execution when PATH contains executable files instead of directories. Attackers could trick applications into running malicious binaries by manipulating PATH entries. Affects Go programs that use LookPath with user-controlled input.

💻 Affected Systems

Products:

Go programming language

Versions: All versions before Go 1.23.2 and Go 1.22.11

Operating Systems: All platforms running Go

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when PATH contains executable files (not directories) and LookPath receives empty string, dot, or dot-dot.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution if attacker controls PATH variable and can influence LookPath calls with empty string, dot, or dot-dot arguments.

🟠

Likely Case

Local privilege escalation or unexpected binary execution in multi-user systems where users can modify PATH.

🟢

If Mitigated

Limited impact if PATH is properly sanitized and LookPath inputs are validated.

🌐 Internet-Facing: MEDIUM - Requires specific conditions but could affect web services processing user input.

🏢 Internal Only: MEDIUM - More likely in shared environments where users can influence environment variables.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to modify PATH environment variable and influence LookPath arguments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.23.2 or Go 1.22.11

Vendor Advisory: https://groups.google.com/g/golang-announce/c/x5MKroML2yM

Restart Required: No

Instructions:

1. Update Go installation: go install golang.org/dl/go1.23.2@latest 2. Run: go1.23.2 download 3. Set PATH to use new version or rebuild applications with updated Go.

🔧 Temporary Workarounds

Sanitize PATH environment variable

all

Ensure PATH contains only directory paths, not executable files

export PATH=$(echo $PATH | tr ':' '\n' | grep -v '\.' | tr '\n' ':')

Validate LookPath inputs

all

Reject empty strings, single dot, and double dot in code calling LookPath

🧯 If You Can't Patch

Audit all code using os/exec.LookPath and add input validation
Implement strict PATH environment variable controls in deployment

🔍 How to Verify

Check if Vulnerable:

Check Go version: go version. If below 1.23.2 or 1.22.11, vulnerable.

Check Version:

go version

Verify Fix Applied:

After update, verify with: go version | grep -E 'go1\.(23\.2|22\.11)'

📡 Detection & Monitoring

Log Indicators:

Unexpected binary execution from PATH entries
Failed LookPath calls with unusual arguments

Network Indicators:

Unusual outbound connections from Go applications

SIEM Query:

process.name:go AND (cmdline:*LookPath* OR env.PATH:*\.*)

📊 Metadata

CVE ID: CVE-2025-47906

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

EPSS Score: 0.02% exploit probability (4.6th percentile)

Published: September 18, 2025

Last Updated: January 27, 2026

🔗 References

https://go.dev/cl/691775 Patch
https://go.dev/issue/74466 Exploit,Issue Tracking,Third Party Advisory
https://groups.google.com/g/golang-announce/c/x5MKroML2yM Mailing List,Release Notes
https://pkg.go.dev/vuln/GO-2025-3956 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/08/06/1 Mailing List,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON