PatchSiren cyber security CVE debrief
CVE-2025-61731 Go toolchain CVE debrief
CVE-2025-61731 is a vulnerability in Go's cmd/go that allows an attacker to write to a file with partial control of the content. The vulnerability is caused by the '#cgo pkg-config:' directive in a Go source file, which provides command-line arguments to the Go pkg-config command. An attacker can provide a '--log-file' argument to this directive, causing pkg-config to write to an attacker-controlled location. This vulnerability has a CVSS score of 7.8 and is classified as HIGH severity. The CVE was published on January 28, 2026, and modified on June 30, 2026.
- Vendor
- Go toolchain
- Product
- cmd/go
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-06-30
Who should care
Developers and users of Go programming language should be aware of this vulnerability. An attacker could exploit this vulnerability to write to sensitive files, potentially leading to a compromise of the system. Users of Go should ensure they are running a version of Go that has been patched for this vulnerability.
Technical summary
The vulnerability is caused by the '#cgo pkg-config:' directive in a Go source file, which provides command-line arguments to the Go pkg-config command. An attacker can provide a '--log-file' argument to this directive, causing pkg-config to write to an attacker-controlled location. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness associated with this vulnerability is NVD-CWE-noinfo.
Defensive priority
High priority should be given to patching this vulnerability, as an attacker could exploit it to write to sensitive files. Users of Go should ensure they are running a version of Go that has been patched for this vulnerability.
Recommended defensive actions
- Patch Go installations to prevent exploitation
- Review and update Go projects to ensure they do not use vulnerable directives
- Monitor systems for suspicious activity related to Go usage
- Implement compensating controls to limit the impact of a potential exploit
- Track and verify Go updates and patches
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional information on the vulnerability, including references to patches and advisories. The vendor, Golang, has provided patches and advisories for this vulnerability.
Official resources
-
CVE-2025-61731 CVE record
CVE.org
-
CVE-2025-61731 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Mailing List, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.