vulnerability
Amazon Linux AMI 2: CVE-2025-4674: Security patch for golang (ALAS-2025-2939)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:M/Au:N/C:C/I:C/A:C) | May 20, 2026 | May 20, 2026 | May 20, 2026 |
Severity
7
CVSS
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Published
May 20, 2026
Added
May 20, 2026
Modified
May 20, 2026
Description
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Solutions
amazon-linux-ami-2-upgrade-golangamazon-linux-ami-2-upgrade-golang-binamazon-linux-ami-2-upgrade-golang-docsamazon-linux-ami-2-upgrade-golang-miscamazon-linux-ami-2-upgrade-golang-sharedamazon-linux-ami-2-upgrade-golang-srcamazon-linux-ami-2-upgrade-golang-tests
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.