CVE-2025-61731

Summary

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "–log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/go0 < 1.24.12affected
Go toolchaincmd/go1.25.0 < 1.25.6affected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive

Additional References

References