{"id":"GO-2025-3849","summary":"Incorrect results returned from Rows.Scan in database/sql","details":"Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.","aliases":["BIT-golang-2025-47907","CVE-2025-47907"],"modified":"2026-03-18T23:14:13.805882Z","published":"2025-08-07T15:07:27Z","related":["CGA-hp7c-8j96-c7mq","RHSA-2025:13935","RHSA-2025:13941","RHSA-2025:19397","RHSA-2025:19731","RHSA-2025:20909","RHSA-2025:20983","RHSA-2025:21336","RHSA-2025:21337","RHSA-2025:21382","RHSA-2025:21383","RHSA-2025:21384","RHSA-2025:21385"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3849","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/693735"},{"type":"REPORT","url":"https://go.dev/issue/74831"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/x5MKroML2yM"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.23.12"},{"introduced":"1.24.0"},{"fixed":"1.24.6"}]}],"ecosystem_specific":{"imports":[{"symbols":["Row.Scan","Rows.Scan"],"path":"database/sql"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3849.json"}}],"schema_version":"1.7.5","credits":[{"name":"Spike Curtis from Coder"}]}