DEBIAN-CVE-2025-68119
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 28 Jan 2026, 20:16
Last modified:28 Apr 2026, 20:30
Vulnerability Summary
Overall Risk (default)
medium
28/100 CVSS Score
7 HIGH
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
28 Jan 2026, 20:16
Published
Vulnerability first disclosed
28 Apr 2026, 20:30
Last Modified
Vulnerability information updated
Description
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
CVSS Metrics
- v3.1•HIGH•Score: 7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- debian•golang-1.15
all
- debian•golang-1.19
all
- debian•golang-1.24
all | < 1.24.13-1 | all
- debian•golang-1.25
all | < 1.25.6-1