CVE-2023-29405
published 2023-06-08CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.73%
74.7th percentile
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| fedoraproject | fedora | — | — |
| go_toolchain | cmd_cgo | < 1.19.10 | 1.19.10 |
| go_toolchain | cmd_cgo | >= 1.20.0-0 < 1.20.5 | 1.20.5 |
| go_toolchain | cmd_go | < 1.19.10 | 1.19.10 |
| go_toolchain | cmd_go | >= 1.20.0-0 < 1.20.5 | 1.20.5 |
| golang | go | < 1.19.10 | 1.19.10 |
| golang | go | >= 1.20.0 < 1.20.5 | 1.20.5 |
| msrc | azl3_golang_1.20.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.20.7-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.20.7-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger vector: malicious module processed via 'go get' or any build command using cgo with the gccgo compiler, where '#cgo LDFLAGS' directives contain flags with embedded spaces to smuggle disallowed flags past sanitization ↗
- →Scope is limited exclusively to the gccgo compiler; standard Go toolchain (pre-compiled golang binaries) is NOT affected — focus detection on build environments using gccgo ↗
- →Red Hat confirms: only customer use of the GCCGO compiler is affected, not pre-compiled golang binaries — triage build pipelines for gccgo usage ↗
- →Arbitrary code execution occurs at build time (not runtime) — monitor CI/CD and build system logs for unexpected process spawning during 'go get' or cgo build steps with gccgo ↗
- ·Vulnerability is exclusively triggered when using the gccgo compiler; the standard Go compiler toolchain is not affected ↗
- ·The smuggling technique relies on flags with embedded spaces inside a '#cgo LDFLAGS' directive — LDFLAGS sanitization logic does not correctly handle space-embedded arguments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
golang-1.17 vulnerabilities
osv·2024-10-10·CVSS 9.8
CVE-2023-24531 [CRITICAL] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue
OSV
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
osv·2023-06-08
CVE-2023-29405 Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
GHSA
GHSA-68g3-2p3g-w9pq: The go command may execute arbitrary code at build time when using cgo
ghsa_unreviewed·2023-06-08
CVE-2023-29405 [CRITICAL] CWE-74 GHSA-68g3-2p3g-w9pq: The go command may execute arbitrary code at build time when using cgo
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
OSV
CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo
osv·2023-06-08·CVSS 9.8
CVE-2023-29405 [CRITICAL] CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-10-10·CVSS 9.8
CVE-2023-29405 [CRITICAL] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permissio
Microsoft
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
vendor_msrc·2023-06-13·CVSS 9.8
CVE-2023-29405 [CRITICAL] CWE-74 Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Red Hat
golang: cmd/cgo: Arbitrary code execution triggered by linker flags
vendor_redhat·2023-06-08·CVSS 9.8
CVE-2023-29405 [CRITICAL] CWE-74 golang: cmd/cgo: Arbitrary code execution triggered by linker flags
golang: cmd/cgo: Arbitrary code execution triggered by linker flags
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This ca
Debian
CVE-2023-29405: golang-1.15 - The go command may execute arbitrary code at build time when using cgo. This may...
vendor_debian·2023·CVSS 9.8
CVE-2023-29405 [CRITICAL] CVE-2023-29405: golang-1.15 - The go command may execute arbitrary code at build time when using cgo. This may...
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/501224https://go.dev/issue/60306https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/https://lists.fedoraproject.org/archives/list/[email protected]/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/https://pkg.go.dev/vuln/GO-2023-1842https://security.gentoo.org/glsa/202311-09https://go.dev/cl/501224https://go.dev/issue/60306https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/https://lists.fedoraproject.org/archives/list/[email protected]/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/https://pkg.go.dev/vuln/GO-2023-1842https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20241206-0003/
2023-06-08
Published