Fluid Attacks Database

Description

Arbitrary file write using cgo pkg-config directive in cmd/go Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content.

The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| =1.25.2-1 \|\| =1.25.3-1 \|\| >=0 <1.25.6-1	1.25.6-1
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
go	toolchain	>=0 <1.24.12	1.24.12
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
rpm rhel9	golang	<0:1.25.8-1.el9_7	0:1.25.8-1.el9_7
rpm rhel10	golang	<0:1.25.8-1.el10_1	0:1.25.8-1.el10_1
rpm rhel8	golang	-	-
rpm rhel9.6	golang	<0:1.25.8-1.el9_6	0:1.25.8-1.el9_6
rpm rhel10.0	golang	<0:1.25.8-1.el10_0	0:1.25.8-1.el10_0

1-10 of 13

Aliases

1. CVE-2025-617312. NVD-2025-617313. OSV-DEBIAN-2025-617314. OSV-2025-617315. OSV-GO-2026-43396. GCVE-2025-617317. SECURITY-TRACKER-CVE-2025-61731

References

1. https://go.dev/cl/7367112. https://go.dev/issue/771003. https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.