Go Command Toolchain Vulnerability Allowing Local Code Execution

A vulnerability in the Go command toolchain can lead to local code execution by downloading and building modules with malicious version strings. On systems with Mercurial installed, modules from non-standard sources can execute unexpected code due to the construction of external version control system commands. Similarly, on systems with Git, malicious version strings can be used to write arbitrary files on the filesystem. This vulnerability requires explicit action by the user and does not affect default module paths or the latest version.

Impact

Exploitation of this vulnerability can result in arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by downloading and building Go modules that contain malicious version strings, specifically when using Git or Mercurial as the version control system. This can be done by manually specifying the malicious versions in the module download commands.

Remediation

Users can update to Go versions 1.25.6 or 1.24.12, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.