CVE-2025-47906: 
Wolfi vulnerability analysis and mitigation

CVE-2025-47906 is a security vulnerability in Go programming language's os/exec package that affects multiple versions including Go 1.24 before 1.24.6 and Go 1.23 before 1.23.12. The vulnerability was discovered by Olivier Mengué and publicly disclosed on August 6, 2025. The issue affects the LookPath function in the os/exec package, which can return unexpected paths when the PATH environment variable contains executable files rather than just directories (Golang Announce).

The vulnerability occurs when the PATH environment variable contains paths that are executables rather than directories. When passing certain strings to LookPath function (specifically empty string "", ".", and ".."), the function may unexpectedly return the binaries listed in the PATH instead of raising an error. This behavior is particularly concerning on Windows systems, where the incorrect resolution can be triggered when a malicious executable file exists in the parent directory of a PATH element (GitHub Issue).

The vulnerability could allow attackers to hide the launch of external commands from code reviewers or static analysis tools. While the general risk is considered low since exploitation requires control of both PATH and the argument to exec.LookPath (or on Windows, a writable directory parent to a PATH element), it breaks the expectation that exec.LookPath sanitizes user input before calling exec.Command. A command name that would normally be rejected by Cmd.Start (like an empty string) may still lead to execution (GitHub Issue).

The vulnerability has been fixed in Go versions 1.24.6 and 1.23.12. Users are advised to upgrade to these versions or later to address the security issue. The fix was released on August 6, 2025, as part of the security updates (Golang Announce).