CVE-2025-61731
published 2026-01-28CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.53%
40.8th percentile
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| go_toolchain | cmd_go | < 1.24.12 | 1.24.12 |
| go_toolchain | cmd_go | >= 1.25.0 < 1.25.6 | 1.25.6 |
| golang | go | < 1.24.12 | 1.24.12 |
| golang | go | >= 1.25.0 < 1.25.6 | 1.25.6 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cmd-go up to 1.24.11/1.25.5 on Go File os command injection (Nessus ID 297011 / WID-SEC-2026-0129)
vuldb·2026-07-01·CVSS 7.8
CVE-2025-61731 [HIGH] cmd-go up to 1.24.11/1.25.5 on Go File os command injection (Nessus ID 297011 / WID-SEC-2026-0129)
A vulnerability described as critical has been identified in cmd-go up to 1.24.11/1.25.5 on Go. This issue affects some unknown processing of the component File Handler. Such manipulation leads to os command injection.
This vulnerability is uniquely identified as CVE-2025-61731. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
GHSA-xvqr-69v8-f3gv: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content
ghsa_unreviewed·2026-01-28
CVE-2025-61731 [HIGH] GHSA-xvqr-69v8-f3gv: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
OSV
CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content
osv·2026-01-28·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
OSV
Arbitrary file write using cgo pkg-config directive in cmd/go
osv·2026-01-28
CVE-2025-61731 Arbitrary file write using cgo pkg-config directive in cmd/go
Arbitrary file write using cgo pkg-config directive in cmd/go
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content.
The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Red Hat
cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
vendor_redhat·2026-01-28·CVSS 7.8
CVE-2025-61731 [HIGH] CWE-88 cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
A flaw was found in cmd/go. An attacker can exploit this by building a malicious Go source file that uses the '#cgo pkg-config:' directive. This allows the attacker to write to an arbitrary file with partial control over its content, by providing a '--log-file' argument to the pkg-config command. This vulnerability can lead to a
Debian
CVE-2025-61731: golang-1.15 - Building a malicious file with cmd/go can cause can cause a write to an attacker...
vendor_debian·2025·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731: golang-1.15 - Building a malicious file with cmd/go can cause can cause a write to an attacker...
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61731 golang: cmd/go: Arbitrary file write via malicious pkg-config directive [fedora-all]
bugzilla·2026-04-28·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731 golang: cmd/go: Arbitrary file write via malicious pkg-config directive [fedora-all]
CVE-2025-61731 golang: cmd/go: Arbitrary file write via malicious pkg-config directive [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2025-61731 gcc-epel: cmd/go: Arbitrary file write via malicious pkg-config directive [epel-all]
bugzilla·2026-04-28·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731 gcc-epel: cmd/go: Arbitrary file write via malicious pkg-config directive [epel-all]
CVE-2025-61731 gcc-epel: cmd/go: Arbitrary file write via malicious pkg-config directive [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2025-61731 cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
bugzilla·2026-01-28·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731 cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
CVE-2025-61731 cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:5941 https://access.redhat.com/errata/RHSA-2026:5941
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10.0 Extended Update Support
Via RHSA-2026:5943 https://ac
Wiz
CVE-2025-61731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61731 :
cAdvisor vulnerability analysis and mitigation
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Source : NVD
## 7.8
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
cAdvisor
Terraform Community
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected
https://go.dev/cl/736711https://go.dev/issue/77100https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUchttps://pkg.go.dev/vuln/GO-2026-4339https://access.redhat.com/errata/RHSA-2026:12118https://access.redhat.com/errata/RHSA-2026:12282https://access.redhat.com/errata/RHSA-2026:13736https://access.redhat.com/errata/RHSA-2026:14100https://access.redhat.com/errata/RHSA-2026:14774https://access.redhat.com/errata/RHSA-2026:15091https://access.redhat.com/errata/RHSA-2026:20088https://access.redhat.com/errata/RHSA-2026:21691https://access.redhat.com/errata/RHSA-2026:3556https://access.redhat.com/errata/RHSA-2026:3559https://access.redhat.com/errata/RHSA-2026:3855https://access.redhat.com/errata/RHSA-2026:4434https://access.redhat.com/errata/RHSA-2026:5133https://access.redhat.com/errata/RHSA-2026:5907https://access.redhat.com/errata/RHSA-2026:5941https://access.redhat.com/errata/RHSA-2026:5942https://access.redhat.com/errata/RHSA-2026:5943https://access.redhat.com/errata/RHSA-2026:5944https://access.redhat.com/errata/RHSA-2026:5948https://access.redhat.com/errata/RHSA-2026:5950https://access.redhat.com/errata/RHSA-2026:5952https://access.redhat.com/errata/RHSA-2026:6949https://access.redhat.com/errata/RHSA-2026:7291https://access.redhat.com/errata/RHSA-2026:7385https://access.redhat.com/errata/RHSA-2026:7833https://access.redhat.com/errata/RHSA-2026:7834https://access.redhat.com/errata/RHSA-2026:7876https://access.redhat.com/errata/RHSA-2026:7877https://access.redhat.com/errata/RHSA-2026:7878https://access.redhat.com/errata/RHSA-2026:7879https://access.redhat.com/errata/RHSA-2026:7883https://access.redhat.com/security/cve/CVE-2025-61731https://bugzilla.redhat.com/show_bug.cgi?id=2434433https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61731.json
2026-01-28
Published