Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
References
Configurations
History
30 Jun 2026, 03:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| CWE | CWE-88 |
17 Jun 2026, 09:50
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
|
| References | () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - Mailing List, Release Notes |
06 Feb 2026, 18:43
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | |
| First Time |
Golang go
Golang |
|
| CWE | NVD-CWE-noinfo | |
| References | () https://go.dev/cl/736711 - Patch | |
| References | () https://go.dev/issue/77100 - Issue Tracking | |
| References | () https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc - Release Notes, Mailing List | |
| References | () https://pkg.go.dev/vuln/GO-2026-4339 - Vendor Advisory |
29 Jan 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
28 Jan 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-28 20:16
Updated : 2026-06-30 03:16
NVD link : CVE-2025-61731
Mitre link : CVE-2025-61731
CVE.ORG link : CVE-2025-61731
JSON object : View
Products Affected
golang
- go
CWE
NVD-CWE-noinfo
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
