CVE-2025-61731 — Argument Injection in Toolchain CMD GO

CWE-88 — Argument Injection9 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 98.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Toolchain CMD GO Golang GO

Timeline

PublishedJan 28

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgolang/go1.25.0 — 1.25.6+1

▶CVEListV5go_toolchain/cmd_go1.25.0 — 1.25.6+1

Patches

Patch: go.dev ↗

🔴Vulnerability Details

CVEList

Arbitrary file write using cgo pkg-config directive in cmd/go↗2026-01-28

▶

GHSA

GHSA-xvqr-69v8-f3gv: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content↗2026-01-28

▶

OSV

CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content↗2026-01-28

▶

OSV

Arbitrary file write using cgo pkg-config directive in cmd/go↗2026-01-28

▶

📋Vendor Advisories

Red Hat

cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive↗2026-01-28

▶

Debian

CVE-2025-61731: golang-1.15 - Building a malicious file with cmd/go can cause can cause a write to an attacker...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-61731 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-61731 cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive↗2026-01-28

▶