Go Command Untrusted VCS Repository Command Execution Vulnerability

A vulnerability exists in the Go command-line toolchain when used in untrusted version control system (VCS) repositories. This issue arises from the presence of potentially harmful VCS configuration metadata, which can lead to unexpected command execution. The vulnerability occurs when a repository, fetched through one VCS (like Git), contains metadata from another VCS (such as Mercurial). As a result, the Go toolchain may execute unintended commands while resolving VCS information for embedding build details in binaries and managing module versions. Notably, this vulnerability does not affect modules retrieved via 'go get'.

Impact

Exploitation of this vulnerability can result in unintended command execution within the Go toolchain, potentially leading to unauthorized actions or modifications in the development environment.

Reproduction

To reproduce this vulnerability, clone a Git repository that contains Mercurial metadata into a directory. Then, use the Go command-line tool within that directory. The Go toolchain will execute unexpected commands based on the conflicting VCS metadata, demonstrating the vulnerability.

Remediation

The Go toolchain has been updated to disable support for multiple VCS configurations in a single module, preventing this vulnerability. Users can manually apply this fix by updating to Go versions 1.24.5 or 1.23.11.