Primary

Context

Go Command Line Tool Arbitrary File Write Vulnerability via Cgo Pkg-Config Directive

Vulnerability

Patched

A vulnerability in the Go command line tool (cmd/go) allows for arbitrary file writes, with partial control over the file content. This issue arises from the '#cgo pkg-config:' directive in Go source files, which can be manipulated to include unsafe command-line arguments. By providing a '--log-file' option, an attacker can direct pkg-config to write to a location of their choosing.

Impact

Exploitation of this vulnerability could lead to unauthorized writing of files, potentially allowing for further exploitation or manipulation of the system.

Remediation

This vulnerability has been addressed in Go versions 1.24.12 and 1.25.6. Users can download the latest version from the Go website or compile it from source.

Added: Jan 28, 2026, 8:30 PM

Updated: Jan 28, 2026, 8:30 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Command Line Tool Arbitrary File Write Vulnerability via Cgo Pkg-Config Directive

Vulnerability

Impact

Remediation

Affected Products

golang/cmd/go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating