Go database/sql Scan context cancellation race condition
CVE-2025-47907 Published on August 7, 2025
Incorrect results returned from Rows.Scan in database/sql
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Vulnerability Analysis
CVE-2025-47907 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Products Associated with CVE-2025-47907
Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.
Affected Versions
Go standard library database/sql:- Before 1.23.12 is affected.
- Version 1.24.0 and below 1.24.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.