CVE-2025-61731
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "–log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go toolchain | cmd/go | 0 < 1.24.12 | affected |
| Go toolchain | cmd/go | 1.25.0 < 1.25.6 | affected |
Weaknesses
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
Additional References
- https://access.redhat.com/security/cve/CVE-2025-61731
- https://bugzilla.redhat.com/show_bug.cgi?id=2434433
- https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61731.json
- https://access.redhat.com/errata/RHSA-2026:5943
- https://access.redhat.com/errata/RHSA-2026:5941
- https://access.redhat.com/errata/RHSA-2026:6949
- https://access.redhat.com/errata/RHSA-2026:7878
- https://access.redhat.com/errata/RHSA-2026:7879
- https://access.redhat.com/errata/RHSA-2026:7876
- https://access.redhat.com/errata/RHSA-2026:7877
- https://access.redhat.com/errata/RHSA-2026:7883
- https://access.redhat.com/errata/RHSA-2026:7833
- https://access.redhat.com/errata/RHSA-2026:7834
- https://access.redhat.com/errata/RHSA-2026:5944
- https://access.redhat.com/errata/RHSA-2026:5942
- https://access.redhat.com/errata/RHSA-2026:7385
- https://access.redhat.com/errata/RHSA-2026:7291
- https://access.redhat.com/errata/RHSA-2026:12282
- https://access.redhat.com/errata/RHSA-2026:14100
- https://access.redhat.com/errata/RHSA-2026:21691
- https://access.redhat.com/errata/RHSA-2026:15091
- https://access.redhat.com/errata/RHSA-2026:14774
- https://access.redhat.com/errata/RHSA-2026:20088
- https://access.redhat.com/errata/RHSA-2026:5907
- https://access.redhat.com/errata/RHSA-2026:12118
- https://access.redhat.com/errata/RHSA-2026:5133
- https://access.redhat.com/errata/RHSA-2026:13736
- https://access.redhat.com/errata/RHSA-2026:4434
- https://access.redhat.com/errata/RHSA-2026:3855
- https://access.redhat.com/errata/RHSA-2026:3559
- https://access.redhat.com/errata/RHSA-2026:3556
- https://access.redhat.com/errata/RHSA-2026:5948
- https://access.redhat.com/errata/RHSA-2026:5950
- https://access.redhat.com/errata/RHSA-2026:5952
References
- https://go.dev/cl/736711
- https://go.dev/issue/77100
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://pkg.go.dev/vuln/GO-2026-4339
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.