How to fix CVE-2025-68119?

Within 24 hours: Inventory all systems with Mercurial installed and identify those downloading modules from non-standard sources; alert development and DevOps teams of the vulnerability. Within 7 days: Apply available patches to all affected systems and validate successful deployment. Within 30 days: Conduct code review of module sourcing practices, implement module source whitelisting policies, and establish controls to restrict module downloads to trusted repositories only.

Is Go affected by CVE-2025-68119?

CVE-2025-68119 allows attackers to execute arbitrary code on systems downloading modules with malicious version strings, particularly affecting organizations using Mercurial version control.

CVE-2025-68119

HIGH

2026-01-28 [email protected]

7.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Feb 06, 2026 - 18:40 nvd

Patch available

CVE Published

Jan 28, 2026 - 20:16 nvd

HIGH 7.0

Description

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Analysis

Technical Context

Classified as CWE-787 (Out-of-bounds Write). Affects Go. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker

Affected Products

Vendor: Golang. Product: Go.

Remediation

A vendor patch is available — apply it immediately. Enable ASLR, DEP/NX, and stack canaries where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +35

POC: 0

Vendor Status

CVE-2025-68119 vulnerability details – vuln.today

Back

CVE-2025-68119

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-68119

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code