CVE-2025-22867
published 2025-02-06CVE-2025-22867: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.59%
43.8th percentile
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.24 | — | — |
| go_toolchain | cmd_go | >= 1.24.0-rc.2 < 1.24.0-rc.3 | 1.24.0-rc.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary code execution during build on darwin in cmd/go
osv·2025-02-06
CVE-2025-22867 Arbitrary code execution during build on darwin in cmd/go
Arbitrary code execution during build on darwin in cmd/go
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
GHSA
GHSA-664g-9vm2-r26f: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @execu
ghsa_unreviewed·2025-02-06
CVE-2025-22867 [HIGH] GHSA-664g-9vm2-r26f: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @execu
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
Red Hat
cmd/go: Arbitrary code execution during build on darwin in cmd/go
vendor_redhat·2025-02-06·CVSS 7.5
CVE-2025-22867 [HIGH] CWE-94 cmd/go: Arbitrary code execution during build on darwin in cmd/go
cmd/go: Arbitrary code execution during build on darwin in cmd/go
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
A vulnerability was found in the cmd/go golang package. On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive.
Statement: This issue only affects go1.24rc2. The go1.24rc2 version is not used in any of the Red Hat products, therefore, Red Hat is not affected by this vulnerability.
Mitig
Debian
CVE-2025-22867: golang-1.24 - On Darwin, building a Go module which contains CGO can trigger arbitrary code ex...
vendor_debian·2025·CVSS 7.5
CVE-2025-22867 [HIGH] CVE-2025-22867: golang-1.24 - On Darwin, building a Go module which contains CGO can trigger arbitrary code ex...
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
Scope: local
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
2025-02-06
Published