Go Toolchain Cmd Go vulnerabilities

CVE-2026-27140 [HIGH] CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrar SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2025-68119 [HIGH] CWE-787 CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution. On s Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious ve

CVE-2025-61731 [HIGH] CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file wit Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write t

CVE-2025-4674 [HIGH] CWE-73 CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This oc The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line,

CVE-2025-22867 [HIGH] CVE-2025-22867: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using t On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

CVE-2024-45340 [HIGH] CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowin Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

CVE-2023-24531 [CRITICAL] CVE-2023-24531: Command go env is documented as outputting a shell script containing the Go environment. However, go Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can se

CVE-2024-24787 [MEDIUM] CVE-2024-24787: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using t On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

CVE-2023-45285 [HIGH] CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

CVE-2023-39323 [HIGH] CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowin Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploitin

CVE-2023-39320 [CRITICAL] CWE-94 CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binar The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

CVE-2023-29404 [CRITICAL] CWE-94 CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo. This may occur when running The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrect

CVE-2023-29405 [CRITICAL] CWE-74 CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed fla

CVE-2023-29402 [CRITICAL] CWE-94 CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpec The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not aff

CVE-2020-28367 [HIGH] CWE-94 CVE-2020-28367: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

CVE-2020-28366 [HIGH] CWE-94 CVE-2020-28366: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.