Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

We believe this affects most database/sql drivers.

Thanks to Spike Curtis from Coder for reporting this issue.

This is CVE-2025-47907 and https://go.dev/issue/74831.

This is a PRIVATE issue for CVE-2025-47907, tracked in http://b/428194174.

/cc @golang/security and @golang/release

Comment From: rolandshoemaker

@gopherbot please open backport issues.

Comment From: gopherbot

Backport issue(s) opened: #74832 (for 1.23), #74833 (for 1.24), #74834 for (1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

Comment From: rolandshoemaker

@gopherbot open a backport issue for Go 1.25.

Comment From: gopherbot

Change https://go.dev/cl/693616 mentions this issue: [release-branch.go1.24] database/sql: avoid closing Rows while scan is in progress

Comment From: gopherbot

Change https://go.dev/cl/693559 mentions this issue: [release-branch.go1.25] database/sql: avoid closing Rows while scan is in progress

Comment From: gopherbot

Change https://go.dev/cl/693558 mentions this issue: [release-branch.go1.23] database/sql: avoid closing Rows while scan is in progress

Comment From: gopherbot

Change https://go.dev/cl/693735 mentions this issue: database/sql: avoid closing Rows while scan is in progress

Comment From: newhook

Do you have any idea when this bug was introduced? We're trying to determine the urgency of importing this fix. It sounds potentially alarming, but if we've been running with this problem in production for months, that obviously lowers the immediate importance.

Comment From: rolandshoemaker

@newhook we didn't resolve the exact version this was introduced, but this locking behavior has been around for quite a long time, likely on the order of multiple years.