cbcvebase.
CVE-2025-61731
published 2026-01-28

CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo…

PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.53%
40.8th percentile
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.24 1.24.12-1 (forky)golang-1.24 1.24.12-1 (forky)
debiangolang-1.19< golang-1.24 1.24.12-1 (forky)golang-1.24 1.24.12-1 (forky)
debiangolang-1.24< golang-1.24 1.24.12-1 (forky)golang-1.24 1.24.12-1 (forky)
debiangolang-1.25< golang-1.24 1.24.12-1 (forky)golang-1.24 1.24.12-1 (forky)
go_toolchaincmd_go< 1.24.121.24.12
go_toolchaincmd_go>= 1.25.0 < 1.25.61.25.6
golanggo< 1.24.121.24.12
golanggo>= 1.25.0 < 1.25.61.25.6

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.