Race condition in Go programming language - CVE-2025-47907
Published: August 14, 2025 / Updated: January 19, 2026
Vulnerability identifier: #VU114080
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-47907
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Go programming language
Go programming language
Detailed vulnerability description
The vulnerability allows an attacker to tamper with the application.
The vulnerability exists due to a race condition when canceling a DB query. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system. A remote user can overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
How to mitigate CVE-2025-47907
Install updates from vendor's website.