[security] Go 1.24.6 and Go 1.23.12 are released

103 views
Skip to first unread message

Dmitri Shuralyov

unread,
Aug 6, 2025, 3:27:03 PMAug 6
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.24.6 and 1.23.12, minor point releases.

These minor releases include 2 security fixes following the security policy:
  • os/exec: LookPath may return unexpected paths

    If the PATH environment variable contains paths which are executables (rather
    than just directories), passing certain strings to LookPath ("", ".", and ".."),
    can result in the binaries listed in the PATH being unexpectedly returned.

    Thanks to Olivier Mengué for reporting this issue.

    This is CVE-2025-47906 and Go issue https://go.dev/issue/74466.

  • database/sql: incorrect results returned from Rows.Scan

    Cancelling a query (e.g. by cancelling the context passed to one of the query
    methods) during a call to the Scan method of the returned Rows can result in
    unexpected results if other queries are being made in parallel. This can result
    in a race condition that may overwrite the expected results with those of
    another query, causing the call to Scan to return either unexpected results
    from the other query or an error.

    We believe this affects most database/sql drivers.

    Thanks to Spike Curtis from Coder for reporting this issue.

    This is CVE-2025-47907 and https://go.dev/issue/74831.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.6

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.24.6 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Mark and Dmitri for the Go team
Reply all
Reply to author
Forward
0 new messages