CVE-2025-22867Code Injection in Toolchain CMD GO

CWE-94Code Injection6 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 39.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Toolchain CMD GO
Timeline
PublishedFeb 6

Description

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5go_toolchain/cmd_go1.24.0-rc.21.24.0-rc.3

🔴Vulnerability Details

3
OSV
Arbitrary code execution during build on darwin in cmd/go2025-02-06
CVEList
Arbitrary code execution during build on darwin in cmd/go2025-02-06
GHSA
GHSA-664g-9vm2-r26f: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @execu2025-02-06

📋Vendor Advisories

2
Red Hat
cmd/go: Arbitrary code execution during build on darwin in cmd/go2025-02-06
Debian
CVE-2025-22867: golang-1.24 - On Darwin, building a Go module which contains CGO can trigger arbitrary code ex...2025
CVE-2025-22867 — Code Injection in GO Toolchain CMD GO | cvebase