#VU114080 Race condition in Go programming language - CVE-2025-47907
Vulnerability identifier: #VU114080
Vulnerability risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-362
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Go programming language
Universal components / Libraries /
Scripting languages
Vendor: Google
Description
The vulnerability allows an attacker to tamper with the application.
The vulnerability exists due to a race condition when canceling a DB query. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system. A remote user can overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Go programming language: 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.23.6, 1.23.7, 1.23.8, 1.23.9, 1.23.10, 1.23.11, 1.24 rc1, 1.24 rc2, 1.24 rc.3, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5
External links
https://go.dev/cl/693735
https://go.dev/issue/74831
https://groups.google.com/g/golang-announce/c/x5MKroML2yM
https://pkg.go.dev/vuln/GO-2025-3849
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
