CVE-2025-47907

Aliases:GO-2025-3849BIT-golang-2025-47907

Advisory lineage Upstream: 0 Downstream: 37

Downstream

DEBIAN-CVE-2025-47907 MGASA-2025-0221 OPENSUSE-SU-2025:15420-1 OPENSUSE-SU-2025:15422-1 OPENSUSE-SU-2025:15423-1 OPENSUSE-SU-2025:15424-1

Analyzed

Published: 07 Aug 2025, 15:25

Last modified:04 Nov 2025, 21:10

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7 HIGH

v3.1 (cve.org)

EPSS Score

0.07% LOW

0% probability +0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Aug 2025, 15:25

Published

Vulnerability first disclosed

04 Nov 2025, 21:10

Last Modified

Vulnerability information updated

Description

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

CVSS Metrics

v3.1•HIGH•Score: 7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

go standard library•database/sql
< 1.23.12 | ≥ 1.24.0, < 1.24.6
golang•go
< 1.23.12 | ≥ 1.24.0, < 1.24.6
Go•stdlib
≥ 1.24.0, < 1.24.6