← Back

CVE-2025-61731

nvd nist
Published: Jan 28, 2026Modified: Feb 6, 2026

JSON object

Loading...
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Affected (2)

Products: Golang: Go
Golang
1 product
Go
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Golang
Go
Before 1.24.12
Go
From 1.25.0 to 1.25.6

References (4)

Source: security@golang.org
Patch
Source: security@golang.org
Issue Tracking
Source: security@golang.org
Release NotesMailing List
Source: security@golang.org
Vendor Advisory

Timeline

No history available yet.