Go Command Module Proxy Checksum Validation Bypass Vulnerability

A vulnerability exists in the Go command's handling of module checksums, allowing a malicious module proxy to bypass checksum database validation. This issue affects users with untrusted module proxies (GOMODPROXY) or checksum databases (GOSUMDB). The vulnerability arises because the Go command relies on go.sum files to verify module dependencies. A malicious proxy can serve altered modules, leading to incorrect hashes being recorded. When a different version of the Go toolchain is requested, the Go command downloads and executes a toolchain from the module proxy. The flaw allows the proxy to manipulate the checksum validation for this toolchain, potentially compromising its integrity.

Impact

Exploitation of this vulnerability could lead to the execution of a compromised Go toolchain, allowing a malicious module proxy to alter the Go command's behavior or introduce harmful changes.

Reproduction

To reproduce this vulnerability, configure a non-trusted module proxy and checksum database. Then, use a Go module that is not listed in the go.sum file. The Go command will download the module from the proxy, bypassing checksum validation. Afterward, check the go.sum file for discrepancies, which would indicate that an altered module was served by the malicious proxy.

Remediation

Upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. After upgrading, users should run 'go mod tidy' and 'go mod verify' to revalidate all module dependencies.