Go Toolchain Cmd Go vulnerabilities
19 known vulnerabilities affecting go_toolchain/cmd_go.
Total CVEs
19
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2023-29404P2CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0-0, < 1.20.52023-06-08
CVE-2023-29404 [CRITICAL] CWE-94 CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo. This may occur when running
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrect
nvd
CVE-2023-29405P2CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0-0, < 1.20.52023-06-08
CVE-2023-29405 [CRITICAL] CWE-74 CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed fla
nvd
CVE-2023-39320P2CRITICALCVSS 9.8≥ 1.21.0-0, < 1.21.12023-09-08
CVE-2023-39320 [CRITICAL] CWE-94 CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binar
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
nvd
CVE-2023-29402P3CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0-0, < 1.20.52023-06-08
CVE-2023-29402 [CRITICAL] CWE-94 CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpec
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not aff
nvd
CVE-2024-45340P3HIGHCVSS 8.8≥ 1.24.0-0, < 1.24.0-rc.22025-01-28
CVE-2024-45340 [HIGH] CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowin
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
nvd
CVE-2023-24531P3CRITICALCVSS 9.8fixed in 1.21.0-02024-07-02
CVE-2023-24531 [CRITICAL] CVE-2023-24531: Command go env is documented as outputting a shell script containing the Go environment. However, go
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can se
nvd
CVE-2023-39323P3HIGHCVSS 8.1fixed in 1.20.9≥ 1.21.0-0, < 1.21.22023-10-05
CVE-2023-39323 [HIGH] CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowin
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploitin
nvd
CVE-2026-27140P3HIGHCVSS 8.8fixed in 1.25.9≥ 1.26.0-0, < 1.26.22026-04-08
CVE-2026-27140 [HIGH] CWE-863 CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrar
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
nvd
CVE-2026-42501P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0-0, < 1.26.32026-05-07
CVE-2026-42501 [HIGH] CWE-347 CVE-2026-42501: A malicious module proxy can exploit a flaw in the go command's validation of module checksums to by
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different versi
nvd
CVE-2025-4674P3HIGHCVSS 8.6fixed in 1.23.11≥ 1.24.0-0, < 1.24.52025-07-29
CVE-2025-4674 [HIGH] CWE-73 CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This oc
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line,
nvd
CVE-2020-28367P3HIGHCVSS 7.5fixed in 1.14.12≥ 1.15.0-0, < 1.15.52020-11-18
CVE-2020-28367 [HIGH] CWE-94 CVE-2020-28367: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
nvd
CVE-2025-61731P3HIGHCVSS 7.8fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-61731 [HIGH] CWE-88 CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file wit
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to
nvd
CVE-2025-22867P3HIGHCVSS 7.5≥ 1.24.0-rc.2, < 1.24.0-rc.32025-02-06
CVE-2025-22867 [HIGH] CVE-2025-22867: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using t
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
nvd
CVE-2020-28366P3HIGHCVSS 7.5fixed in 1.14.12≥ 1.15.0-0, < 1.15.52020-11-18
CVE-2020-28366 [HIGH] CWE-94 CVE-2020-28366: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
nvd
CVE-2023-45285P3HIGHCVSS 7.5fixed in 1.20.12≥ 1.21.0-0, < 1.21.52023-12-06
CVE-2023-45285 [HIGH] CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
nvd
CVE-2025-68119P3HIGHCVSS 7.0≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-68119 [HIGH] CWE-787 CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution. On s
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious ve
nvd
CVE-2024-24787P4MEDIUMCVSS 6.4fixed in 1.21.10≥ 1.22.0-0, < 1.22.32024-05-08
CVE-2024-24787 [MEDIUM] CVE-2024-24787: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using t
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
nvd
CVE-2026-39817P4MEDIUMCVSS 5.9fixed in 1.25.10≥ 1.26.0-0, < 1.26.32026-05-07
CVE-2026-39817 [MEDIUM] CWE-787 CVE-2026-39817: The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
nvd
CVE-2026-39819P4MEDIUMCVSS 5.3fixed in 1.25.10≥ 1.26.0-0, < 1.26.32026-05-07
CVE-2026-39819 [MEDIUM] CWE-59 CVE-2026-39819: The "go bug" command writes to two files with predictable names in the system temporary directory (f
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
nvd