Vulnerability Report: GO-2026-4339

  • CVE-2025-61731, CVE-2025-61731
  • Affects: cmd/go
  • Published: Jan 28, 2026

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Affected Packages

  • Path
    Versions
    Symbols
  • cmd/go
    before go1.24.12, from go1.25.0 before go1.25.6
    all symbols

Aliases

References

Credits

  • RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.