CVE-2025-68119 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2025-68119?

CVE-2025-68119 has a CVSS score of 7.0 (HIGH). This vulnerability allows attackers to execute arbitrary code or write arbitrary files when downloading and building Go modules with malicious version strings. It affects systems with Mercurial (hg) or Git installed when using non-standard module sources or explicitly providing malicious version strings to the toolchain. Users who download Go modules from untrusted sources or process untrusted version strings are at risk.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code or write arbitrary files when downloading and building Go modules with malicious version strings. It affects systems with Mercurial (hg) or Git installed when using non-standard module sources or explicitly providing malicious version strings to the toolchain. Users who download Go modules from untrusted sources or process untrusted version strings are at risk.

💻 Affected Systems

Products:

Go toolchain

Versions: All versions before the fix

Operating Systems: All platforms where Go is installed

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when downloading modules from non-standard sources or explicitly providing malicious version strings. Standard usage with @latest or bare module paths is not affected.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Local file system manipulation or limited code execution in the context of the user running the Go toolchain, potentially leading to data theft or privilege escalation.

🟢

If Mitigated

No impact if only using standard module sources (@latest or bare module paths) and not processing untrusted version strings.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the victim to download modules from attacker-controlled sources or process attacker-provided version strings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.1 or later

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Restart Required: No

Instructions:

1. Update Go to version 1.24.1 or later. 2. For Mercurial-related issues, ensure you're using Go 1.24.1+. 3. For Git-related issues, update to Go 1.24.1+ and ensure Git is properly configured.

🔧 Temporary Workarounds

Restrict module sources

all

Only download Go modules from trusted, standard sources and avoid using custom domains or untrusted repositories.

Validate version strings

all

Implement input validation for any version strings provided to the Go toolchain from external sources.

🧯 If You Can't Patch

Implement strict access controls to prevent downloading modules from untrusted sources
Use sandboxed environments or containers when building Go modules from external sources

🔍 How to Verify

Check if Vulnerable:

Check if your Go version is older than 1.24.1 and if you download modules from non-standard sources or process external version strings.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.24.1 or later using 'go version' command and confirm modules are only downloaded from trusted sources.

📡 Detection & Monitoring

Log Indicators:

Unusual VCS commands being executed during module downloads
Module downloads from non-standard domains or repositories
Errors or warnings related to version string parsing

Network Indicators:

HTTP requests to unusual domains during module downloads
Git or Mercurial protocol traffic to unexpected repositories

SIEM Query:

Search for process executions of 'git' or 'hg' commands with unusual arguments during Go module operations

📊 Metadata

CVE ID: CVE-2025-68119

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.01% exploit probability (0.9th percentile)

Published: January 28, 2026

Last Updated: February 6, 2026

🔗 References

https://go.dev/cl/736710 Patch
https://go.dev/issue/77099 Issue Tracking,Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Release Notes,Mailing List
https://pkg.go.dev/vuln/GO-2026-4338 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68119, you might also want to check these: