Primary

Context

Go Command 'Pack' Subcommand Path Traversal Vulnerability

Vulnerability

Patched

A path traversal vulnerability has been identified in the 'go tool pack' subcommand, which is typically used internally by the Go compiler. This vulnerability arises because the 'pack' subcommand does not properly sanitize output filenames. As a result, extracting a malicious archive can lead to files being written to arbitrary locations on the filesystem. This issue affects Go versions prior to 1.25.10 and from 1.26.0 up to but not including 1.26.3.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the filesystem, which could potentially overwrite existing files or create new ones in sensitive locations.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: May 7, 2026, 9:06 PM

Updated: May 7, 2026, 9:06 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.0

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.0

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Command 'Pack' Subcommand Path Traversal Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang cmd/go

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating