PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-61731 Go toolchain CVE debrief

CVE-2025-61731 is a vulnerability in Go's cmd/go that allows an attacker to write to a file with partial control of the content. The vulnerability is caused by the '#cgo pkg-config:' directive in a Go source file, which provides command-line arguments to the Go pkg-config command. An attacker can provide a '--log-file' argument to this directive, causing pkg-config to write to an attacker-controlled location. This vulnerability has a CVSS score of 7.8 and is classified as HIGH severity. The CVE was published on January 28, 2026, and modified on June 30, 2026.

Vendor
Go toolchain
Product
cmd/go
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-28
Original CVE updated
2026-06-30
Advisory published
2026-01-28
Advisory updated
2026-06-30

Who should care

Developers and users of Go programming language should be aware of this vulnerability. An attacker could exploit this vulnerability to write to sensitive files, potentially leading to a compromise of the system. Users of Go should ensure they are running a version of Go that has been patched for this vulnerability.

Technical summary

The vulnerability is caused by the '#cgo pkg-config:' directive in a Go source file, which provides command-line arguments to the Go pkg-config command. An attacker can provide a '--log-file' argument to this directive, causing pkg-config to write to an attacker-controlled location. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness associated with this vulnerability is NVD-CWE-noinfo.

Defensive priority

High priority should be given to patching this vulnerability, as an attacker could exploit it to write to sensitive files. Users of Go should ensure they are running a version of Go that has been patched for this vulnerability.

Recommended defensive actions

  • Patch Go installations to prevent exploitation
  • Review and update Go projects to ensure they do not use vulnerable directives
  • Monitor systems for suspicious activity related to Go usage
  • Implement compensating controls to limit the impact of a potential exploit
  • Track and verify Go updates and patches

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional information on the vulnerability, including references to patches and advisories. The vendor, Golang, has provided patches and advisories for this vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.