Detections
Analytics

Golang 1.23.x < 1.23.11 / 1.24.x < 1.24.5 Command Execution

high Nessus Plugin ID 241710

Language:

Synopsis

An application installed on the remote host is affected by a command execution vulnerability.

Description

The version of Golang running on the remote host is 1.23.x prior to 1.23.11, 1.24.x prior to 1.24.3. It is, therefore, affected by a command execution vulnerability as referenced in 74380 advisory.

 - Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a '.hg' directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. (CVE-2025-4674)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Golang Go version 1.23.11, 1.24.5 or later.

See Also

https://github.com/golang/go/issues/74380

https://groups.google.com/g/golang-announce/c/gTNJnDXmn34

Plugin Details

Severity: High

ID: 241710

File Name: golang_1_24_5.nasl

Version: 1.2

Type: local

Family: Misc.

Published: 7/10/2025

Updated: 7/11/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-4674

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:golang:go

Required KB Items: installed_sw/Golang Go Programming Language

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-4674

IAVB: 2025-B-0108