CVE-2025-61731

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
References
Link Resource
https://go.dev/cl/736711 Patch
https://go.dev/issue/77100 Issue Tracking
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2026-4339 Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:12118
https://access.redhat.com/errata/RHSA-2026:12282
https://access.redhat.com/errata/RHSA-2026:13736
https://access.redhat.com/errata/RHSA-2026:14100
https://access.redhat.com/errata/RHSA-2026:14774
https://access.redhat.com/errata/RHSA-2026:15091
https://access.redhat.com/errata/RHSA-2026:20088
https://access.redhat.com/errata/RHSA-2026:21691
https://access.redhat.com/errata/RHSA-2026:3556
https://access.redhat.com/errata/RHSA-2026:3559
https://access.redhat.com/errata/RHSA-2026:3855
https://access.redhat.com/errata/RHSA-2026:4434
https://access.redhat.com/errata/RHSA-2026:5133
https://access.redhat.com/errata/RHSA-2026:5907
https://access.redhat.com/errata/RHSA-2026:5941
https://access.redhat.com/errata/RHSA-2026:5942
https://access.redhat.com/errata/RHSA-2026:5943
https://access.redhat.com/errata/RHSA-2026:5944
https://access.redhat.com/errata/RHSA-2026:5948
https://access.redhat.com/errata/RHSA-2026:5950
https://access.redhat.com/errata/RHSA-2026:5952
https://access.redhat.com/errata/RHSA-2026:6949
https://access.redhat.com/errata/RHSA-2026:7291
https://access.redhat.com/errata/RHSA-2026:7385
https://access.redhat.com/errata/RHSA-2026:7833
https://access.redhat.com/errata/RHSA-2026:7834
https://access.redhat.com/errata/RHSA-2026:7876
https://access.redhat.com/errata/RHSA-2026:7877
https://access.redhat.com/errata/RHSA-2026:7878
https://access.redhat.com/errata/RHSA-2026:7879
https://access.redhat.com/errata/RHSA-2026:7883
https://access.redhat.com/security/cve/CVE-2025-61731
https://bugzilla.redhat.com/show_bug.cgi?id=2434433
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61731.json
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

30 Jun 2026, 03:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:12118 -
  • () https://access.redhat.com/errata/RHSA-2026:12282 -
  • () https://access.redhat.com/errata/RHSA-2026:13736 -
  • () https://access.redhat.com/errata/RHSA-2026:14100 -
  • () https://access.redhat.com/errata/RHSA-2026:14774 -
  • () https://access.redhat.com/errata/RHSA-2026:15091 -
  • () https://access.redhat.com/errata/RHSA-2026:20088 -
  • () https://access.redhat.com/errata/RHSA-2026:21691 -
  • () https://access.redhat.com/errata/RHSA-2026:3556 -
  • () https://access.redhat.com/errata/RHSA-2026:3559 -
  • () https://access.redhat.com/errata/RHSA-2026:3855 -
  • () https://access.redhat.com/errata/RHSA-2026:4434 -
  • () https://access.redhat.com/errata/RHSA-2026:5133 -
  • () https://access.redhat.com/errata/RHSA-2026:5907 -
  • () https://access.redhat.com/errata/RHSA-2026:5941 -
  • () https://access.redhat.com/errata/RHSA-2026:5942 -
  • () https://access.redhat.com/errata/RHSA-2026:5943 -
  • () https://access.redhat.com/errata/RHSA-2026:5944 -
  • () https://access.redhat.com/errata/RHSA-2026:5948 -
  • () https://access.redhat.com/errata/RHSA-2026:5950 -
  • () https://access.redhat.com/errata/RHSA-2026:5952 -
  • () https://access.redhat.com/errata/RHSA-2026:6949 -
  • () https://access.redhat.com/errata/RHSA-2026:7291 -
  • () https://access.redhat.com/errata/RHSA-2026:7385 -
  • () https://access.redhat.com/errata/RHSA-2026:7833 -
  • () https://access.redhat.com/errata/RHSA-2026:7834 -
  • () https://access.redhat.com/errata/RHSA-2026:7876 -
  • () https://access.redhat.com/errata/RHSA-2026:7877 -
  • () https://access.redhat.com/errata/RHSA-2026:7878 -
  • () https://access.redhat.com/errata/RHSA-2026:7879 -
  • () https://access.redhat.com/errata/RHSA-2026:7883 -
  • () https://access.redhat.com/security/cve/CVE-2025-61731 -
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2434433 -
  • () https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61731.json -
CWE CWE-88

17 Jun 2026, 09:50

Type Values Removed Values Added
Summary
  • (es) Construir un archivo malicioso con cmd/go puede causar puede causar una escritura a un archivo controlado por el atacante con control parcial del contenido del archivo. La directiva '#cgo pkg-config:' en un archivo fuente de Go proporciona argumentos de línea de comandos para proporcionar al comando Go pkg-config. Un atacante puede proporcionar un argumento '--log-file' a esta directiva, causando que pkg-config escriba a una ubicación controlada por el atacante.
References () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - Release Notes, Mailing List () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - Mailing List, Release Notes

06 Feb 2026, 18:43

Type Values Removed Values Added
CPE cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
First Time Golang go
Golang
CWE NVD-CWE-noinfo
References () https://go.dev/cl/736711 - () https://go.dev/cl/736711 - Patch
References () https://go.dev/issue/77100 - () https://go.dev/issue/77100 - Issue Tracking
References () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - Release Notes, Mailing List
References () https://pkg.go.dev/vuln/GO-2026-4339 - () https://pkg.go.dev/vuln/GO-2026-4339 - Vendor Advisory

29 Jan 2026, 17:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8

28 Jan 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-01-28 20:16

Updated : 2026-06-30 03:16


NVD link : CVE-2025-61731

Mitre link : CVE-2025-61731

CVE.ORG link : CVE-2025-61731


JSON object : View

Products Affected

golang

  • go
CWE
NVD-CWE-noinfo CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')