Race Condition Affecting std/database/sql package, versions <1.23.12>=1.24.0 <1.24.6
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-STDDATABASESQL-14545642
- published6 Jan 2026
- disclosed7 Aug 2025
- creditSpike Curtis from Coder
Introduced: 7 Aug 2025
CVE-2025-47907 (opens in a new tab)How to fix?
Upgrade std/database/sql to version 1.23.12, 1.24.6 or higher.
Overview
std/database/sql is a Go standard library package std/database/sql
Affected versions of this package are vulnerable to Race Condition.
Go Vulnerability Report:
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.