Volerion logoVolerion
Volerion logoVolerion

Go Command Line Tool Arbitrary Code Execution Vulnerability on Darwin

Vulnerability

A vulnerability in the Go command line tool (cmd/go) has been identified, allowing arbitrary code execution during the build process on Darwin systems. This issue arises when a Go module that includes CGO is built using the Apple version of the linker (ld). The vulnerability is triggered by the use of special values such as @executable_path, @loader_path, or @rpath in a '#cgo LDFLAGS' directive. This problem is specific to Go version 1.24 release candidate 2.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the user's machine.

Reproduction

To reproduce this vulnerability, create a Go module that includes CGO and use the Apple version of the linker. In the '#cgo LDFLAGS' directive, include the @executable_path, @loader_path, or @rpath special values. Then, build the module using Go 1.24rc2 on a Darwin system. The arbitrary code execution will occur during the build process.

Remediation

Users can upgrade to Go 1.24 release candidate 3 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
7.5
exploitability
5.0
remediation
7.7
relevance
0.0
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.