PatchSiren

Go toolchain CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Go toolchain CVE published 2026-01-28

CVE-2025-61731

CVE-2025-61731 is a vulnerability in Go's cmd/go that allows an attacker to write to a file with partial control of the content. The vulnerability is caused by the '#cgo pkg-config:' directive in a Go source file, which provides command-line arguments to the Go pkg-config command. An attacker can provide a '--log-file' argument to this directive, causing pkg-config to write to an attacker-controlled locat [truncated]