CVE-2025-61732

Summary

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/cgo0 < 1.24.13affected
Go toolchaincmd/cgo1.25.0-0 < 1.25.7affected

Weaknesses

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy

Additional References

References