CVE-2025-47907 – This vulnerability in Go's database/sql package... (How to Fix)

Q: What is the severity of CVE-2025-47907?

CVE-2025-47907 has a CVSS score of 7.0 (HIGH). This vulnerability in Go's database/sql package allows race conditions when cancelling queries during parallel database operations. It can cause Scan() methods to return incorrect data from other queries or errors. Affects applications using Go's database/sql package with concurrent query execution and cancellation.

📋 TL;DR

This vulnerability in Go's database/sql package allows race conditions when cancelling queries during parallel database operations. It can cause Scan() methods to return incorrect data from other queries or errors. Affects applications using Go's database/sql package with concurrent query execution and cancellation.

💻 Affected Systems

Products:

Go programming language database/sql package

Versions: Go versions before 1.24.1 and 1.23.10

Operating Systems: All operating systems running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using database/sql package with concurrent queries and context cancellation. Applications not using context cancellation or not running concurrent queries are not vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Data corruption or leakage where sensitive query results are returned to wrong users, potentially exposing confidential information or causing application logic errors.

🟠

Likely Case

Intermittent data inconsistencies or application errors when multiple concurrent database queries are executed with context cancellation.

🟢

If Mitigated

Minor application errors or degraded performance when race conditions occur, but no data exposure due to application-level validation.

🌐 Internet-Facing: MEDIUM - Web applications handling concurrent user requests with database queries could expose or corrupt user data.

🏢 Internal Only: MEDIUM - Internal services with concurrent database operations could experience data integrity issues affecting business processes.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific timing conditions with concurrent database operations and context cancellation. Not trivial to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.1 or Go 1.23.10

Vendor Advisory: https://go.dev/issue/74831

Restart Required: Yes

Instructions:

1. Update Go installation to version 1.24.1 or 1.23.10. 2. Recompile all affected applications with the updated Go version. 3. Redeploy patched applications. 4. Restart services using the patched applications.

🔧 Temporary Workarounds

Avoid concurrent query cancellation

all

Modify application code to avoid cancelling database contexts while Scan() operations are in progress, especially when running parallel queries.

Implement query serialization

all

Use mutexes or other synchronization mechanisms to prevent concurrent database operations that could trigger the race condition.

🧯 If You Can't Patch

Implement application-level data validation to detect and handle unexpected query results
Add monitoring for database query errors and implement circuit breakers for failing queries

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is below 1.24.1 (for Go 1.24) or below 1.23.10 (for Go 1.23), the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, verify with 'go version' that version is 1.24.1 or 1.23.10 or higher. Test application with concurrent database queries and context cancellation.

📡 Detection & Monitoring

Log Indicators:

Unexpected database query results
Scan() method errors
Context cancellation errors during database operations
Data inconsistency reports

Network Indicators:

Increased database error responses
Unusual query patterns with timing anomalies

SIEM Query:

source="application_logs" AND ("unexpected query result" OR "scan error" OR "context canceled" AND "database")

📊 Metadata

CVE ID: CVE-2025-47907

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-362

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: August 7, 2025

Last Updated: January 29, 2026

🔗 References

https://go.dev/cl/693735 Patch
https://go.dev/issue/74831 Issue Tracking,Third Party Advisory
https://groups.google.com/g/golang-announce/c/x5MKroML2yM Mailing List,Release Notes
https://pkg.go.dev/vuln/GO-2025-3849 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/08/06/1 Mailing List,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47907, you might also want to check these: