CVE-2025-4674: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-4674 is a security vulnerability discovered in the Go programming language's command-line tool that affects its interaction with version control systems (VCS). The vulnerability was discovered by RyotaK of GMO Flatt Security Inc and was publicly disclosed on July 29, 2025. The issue affects Go versions before 1.23.11 and from 1.24.0-0 before 1.24.5 (Go Project, Go Announce).

The vulnerability occurs when the Go toolchain operates in directories fetched using various VCS tools. The issue arises when a directory contains multiple VCS configuration metadata (such as a '.hg' directory in a Git repository). The Go toolchain attempts to resolve which VCS is being used to embed build information in binaries and determine module versions, which can lead to unexpected command execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability can result in unexpected code execution when using the Go toolchain in untrusted VCS repositories. This could potentially lead to arbitrary command execution if exploited. However, modules retrieved using the go command line (via 'go get') are not affected by this vulnerability (Go Project).

The issue has been fixed in Go versions 1.23.11 and 1.24.5. The fix implements a new behavior where the toolchain will abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata. While this will result in binaries omitting VCS-related build information, it prevents potential exploitation. For users who require the old behavior in trusted environments, it can be re-enabled by setting GODEBUG=allowmultiplevcs=1 (Go Announce).