CVE-2025-61731

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

PUBLISHED Reserved 2025-09-30 | Published 2026-01-28 | Updated 2026-01-29 | Assigner Go

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Credits

RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

References

go.dev/cl/736711

go.dev/issue/77100

groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

pkg.go.dev/vuln/GO-2026-4339

cve.org (CVE-2025-61731)

nvd.nist.gov (CVE-2025-61731)

Download JSON