Refine your search
19 vulnerabilities found for by Go toolchain
CVE-2026-27140 (GCVE-0-2026-27140)
Vulnerability from cvelistv5
Published
2026-04-08 01:06
Modified
2026-04-13 13:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.26.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T03:55:58.901718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:22:34.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.2",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "SWIG file names containing \u0027cgo\u0027 and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-501: Trust Boundary Violation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T01:06:57.893Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/763768"
},
{
"url": "https://go.dev/issue/78335"
},
{
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4871"
}
],
"title": "Code execution vulnerability in SWIG code generation in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27140",
"datePublished": "2026-04-08T01:06:57.893Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-04-13T13:22:34.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27143 (GCVE-0-2026-27143)
Vulnerability from cvelistv5
Published
2026-04-08 01:06
Modified
2026-04-13 18:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/compile |
Version: 0 ≤ Version: 1.26.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:50:24.131708Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:20:17.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/compile",
"product": "cmd/compile",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.2",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek - https://ciolek.dev/"
}
],
"descriptions": [
{
"lang": "en",
"value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T01:06:57.168Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/763765"
},
{
"url": "https://go.dev/issue/78333"
},
{
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4868"
}
],
"title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27143",
"datePublished": "2026-04-08T01:06:57.168Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-04-13T18:20:17.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27144 (GCVE-0-2026-27144)
Vulnerability from cvelistv5
Published
2026-04-08 01:06
Modified
2026-04-13 18:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/compile |
Version: 0 ≤ Version: 1.26.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:49:47.300247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:20:28.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/compile",
"product": "cmd/compile",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.2",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek - https://ciolek.dev/"
}
],
"descriptions": [
{
"lang": "en",
"value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-440: Expected Behavior Violation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T01:06:56.908Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/763764"
},
{
"url": "https://go.dev/issue/78371"
},
{
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4867"
}
],
"title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27144",
"datePublished": "2026-04-08T01:06:56.908Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-04-13T18:20:28.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61732 (GCVE-0-2025-61732)
Vulnerability from cvelistv5
Published
2026-02-05 03:42
Modified
2026-02-05 14:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/cgo |
Version: 0 ≤ Version: 1.25.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:56:35.952364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:57:44.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/cgo",
"product": "cmd/cgo",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.24.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.7",
"status": "affected",
"version": "1.25.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"value": "A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T03:42:26.392Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/734220"
},
{
"url": "https://go.dev/issue/76697"
},
{
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4433"
}
],
"title": "Potential code smuggling via doc comments in cmd/cgo"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61732",
"datePublished": "2026-02-05T03:42:26.392Z",
"dateReserved": "2025-09-30T15:05:03.606Z",
"dateUpdated": "2026-02-05T14:57:44.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61731 (GCVE-0-2025-61731)
Vulnerability from cvelistv5
Published
2026-01-28 19:30
Modified
2026-02-26 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.25.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T04:55:56.484332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:45.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.24.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.6",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"value": "Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The \"#cgo pkg-config:\" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a \"--log-file\" argument to this directive, causing pkg-config to write to an attacker-controlled location."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:30.844Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/736711"
},
{
"url": "https://go.dev/issue/77100"
},
{
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4339"
}
],
"title": "Arbitrary file write using cgo pkg-config directive in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61731",
"datePublished": "2026-01-28T19:30:30.844Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2026-02-26T15:04:45.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68119 (GCVE-0-2025-68119)
Vulnerability from cvelistv5
Published
2026-01-28 19:30
Modified
2026-02-26 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.25.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T04:55:55.432053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:45.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.6",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "splitline (@splitline) from DEVCORE Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:30.704Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/736710"
},
{
"url": "https://go.dev/issue/77099"
},
{
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4338"
}
],
"title": "Unexpected code execution when invoking toolchain in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-68119",
"datePublished": "2026-01-28T19:30:30.704Z",
"dateReserved": "2025-12-15T16:48:04.450Z",
"dateUpdated": "2026-02-26T15:04:45.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4674 (GCVE-0-2025-4674)
Vulnerability from cvelistv5
Published
2025-07-29 21:19
Modified
2025-11-04 21:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.24.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T16:03:21.628652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T16:06:57.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:50.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.23.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.5",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-73: External Control of File Name or Path",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T21:19:08.519Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/686515"
},
{
"url": "https://go.dev/issue/74380"
},
{
"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3828"
}
],
"title": "Unexpected command execution in untrusted VCS repositories in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-4674",
"datePublished": "2025-07-29T21:19:08.519Z",
"dateReserved": "2025-05-13T23:31:07.620Z",
"dateUpdated": "2025-11-04T21:10:50.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22867 (GCVE-0-2025-22867)
Vulnerability from cvelistv5
Published
2025-02-06 17:09
Modified
2025-02-06 21:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.24.0-rc.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T20:06:49.179700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T21:23:25.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"platforms": [
"darwin"
],
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.24.0-rc.3",
"status": "affected",
"version": "1.24.0-rc.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a \"#cgo LDFLAGS\" directive. This issue only affected go1.24rc2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T17:09:56.893Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/646996"
},
{
"url": "https://go.dev/issue/71476"
},
{
"url": "https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3428"
}
],
"title": "Arbitrary code execution during build on darwin in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22867",
"datePublished": "2025-02-06T17:09:56.893Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2025-02-06T21:23:25.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45340 (GCVE-0-2024-45340)
Vulnerability from cvelistv5
Published
2025-01-28 01:03
Modified
2025-01-30 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.24.0-0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:57:35.666224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:16:48.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.24.0-rc.2",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T19:14:21.639Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/643097"
},
{
"url": "https://go.dev/issue/71249"
},
{
"url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3383"
}
],
"title": "GOAUTH credential leak in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45340",
"datePublished": "2025-01-28T01:03:24.605Z",
"dateReserved": "2024-08-27T19:41:58.556Z",
"dateUpdated": "2025-01-30T19:14:21.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24531 (GCVE-0-2023-24531)
Vulnerability from cvelistv5
Published
2024-07-02 19:51
Modified
2025-03-28 15:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-28T15:02:59.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/488375"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/493535"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/58508"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2962"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250328-0005/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gotoolchain:cmd\\/go:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cmd\\/go",
"vendor": "gotoolchain",
"versions": [
{
"lessThan": "1.21.0-0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24531",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:30:10.564913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:49:46.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.21.0-0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hunter Wittenborn (https://hunterwittenborn.com/)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn\u0027t sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making \"go env\" print them out."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-138: Improper Neutralization of Special Elements",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:51:48.731Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/488375"
},
{
"url": "https://go.dev/cl/493535"
},
{
"url": "https://go.dev/issue/58508"
},
{
"url": "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2962"
}
],
"title": "Output of \"go env\" does not sanitize values in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-24531",
"datePublished": "2024-07-02T19:51:48.731Z",
"dateReserved": "2023-01-25T21:19:20.641Z",
"dateUpdated": "2025-03-28T15:02:59.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24787 (GCVE-0-2024-24787)
Vulnerability from cvelistv5
Published
2024-05-08 15:31
Modified
2025-02-13 17:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE 74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.22.0-0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:golang:go:1.21.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "go",
"vendor": "golang",
"versions": [
{
"status": "affected",
"version": "1.21.0"
},
{
"status": "affected",
"version": "1.22"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T14:49:29.014816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T14:54:50.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/67119"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/583815"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2825"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240531-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/05/08/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"platforms": [
"darwin"
],
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.21.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.22.3",
"status": "affected",
"version": "1.22.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Fors\u00e9n (Mattermost)"
}
],
"descriptions": [
{
"lang": "en",
"value": "On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a \"#cgo LDFLAGS\" directive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:10:10.782Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/67119"
},
{
"url": "https://go.dev/cl/583815"
},
{
"url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2825"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240531-0006/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/08/3"
}
],
"title": "Arbitrary code execution during build on Darwin in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-24787",
"datePublished": "2024-05-08T15:31:14.530Z",
"dateReserved": "2024-01-30T16:05:14.758Z",
"dateUpdated": "2025-02-13T17:40:26.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45285 (GCVE-0-2023-45285)
Vulnerability from cvelistv5
Published
2023-12-06 16:27
Modified
2025-02-13 17:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.21.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:15.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/63845"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/540257"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2383"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.20.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.5",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "David Leadbeater"
}
],
"descriptions": [
{
"lang": "en",
"value": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-20T04:06:28.460Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"url": "https://go.dev/issue/63845"
},
{
"url": "https://go.dev/cl/540257"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2383"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
}
],
"title": "Command \u0027go get\u0027 may unexpectedly fallback to insecure git in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-45285",
"datePublished": "2023-12-06T16:27:55.521Z",
"dateReserved": "2023-10-06T17:06:26.220Z",
"dateUpdated": "2025-02-13T17:14:00.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39323 (GCVE-0-2023-39323)
Vulnerability from cvelistv5
Published
2023-10-05 20:36
Modified
2025-06-12 15:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE 94: Improper Control of Generation of Code ('Code Injection')
Summary
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.21.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/63211"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/533215"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2095"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231020-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-39323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T15:14:25.966284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T15:15:12.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.20.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.2",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:58.922Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/63211"
},
{
"url": "https://go.dev/cl/533215"
},
{
"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2095"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231020-0001/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Arbitrary code execution during build via line directives in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-39323",
"datePublished": "2023-10-05T20:36:58.756Z",
"dateReserved": "2023-07-27T17:05:55.188Z",
"dateUpdated": "2025-06-12T15:15:12.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39320 (GCVE-0-2023-39320)
Vulnerability from cvelistv5
Published
2023-09-08 16:13
Modified
2025-02-13 17:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.21.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/62198"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/526158"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2042"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231020-0004/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:28:10.391044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:28:41.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.21.1",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:10:00.880Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/62198"
},
{
"url": "https://go.dev/cl/526158"
},
{
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2042"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231020-0004/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Arbitrary code execution via go.mod toolchain directive in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-39320",
"datePublished": "2023-09-08T16:13:26.609Z",
"dateReserved": "2023-07-27T17:05:55.186Z",
"dateUpdated": "2025-02-13T17:02:48.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29405 (GCVE-0-2023-29405)
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-01-06 19:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-06T13:09:26.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/60306"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/501224"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1842"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241206-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:44:14.217992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:44:24.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.20.5",
"status": "affected",
"version": "1.20.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/cgo",
"product": "cmd/cgo",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.20.5",
"status": "affected",
"version": "1.20.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-04T18:09:23.809Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/60306"
},
{
"url": "https://go.dev/cl/501224"
},
{
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1842"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29405",
"datePublished": "2023-06-08T20:19:19.267Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-01-06T19:44:24.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29404 (GCVE-0-2023-29404)
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-01-06 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-15T13:08:12.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/60305"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/501225"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1841"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241115-0009/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:47:37.186942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:47:57.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.20.5",
"status": "affected",
"version": "1.20.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\"Code Injection\")",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-04T18:09:18.646Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/60305"
},
{
"url": "https://go.dev/cl/501225"
},
{
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1841"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29404",
"datePublished": "2023-06-08T20:19:17.548Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-01-06T19:47:57.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29402 (GCVE-0-2023-29402)
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-02-13 16:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-13T13:09:24.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/60167"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/501226"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1839"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T21:13:13.159691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T21:14:36.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.20.5",
"status": "affected",
"version": "1.20.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:38.111Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/60167"
},
{
"url": "https://go.dev/cl/501226"
},
{
"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1839"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Code injection via go command with cgo in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29402",
"datePublished": "2023-06-08T20:19:04.483Z",
"dateReserved": "2023-04-05T19:36:35.042Z",
"dateUpdated": "2025-02-13T16:49:13.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28366 (GCVE-0-2020-28366)
Vulnerability from cvelistv5
Published
2020-11-18 00:00
Modified
2024-08-04 16:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.15.0-0 ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:58.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/269658"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/42559"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0475"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"programRoutines": [
{
"name": "Builder.cgo"
}
],
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.14.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/cgo",
"product": "cmd/cgo",
"programRoutines": [
{
"name": "dynimport"
}
],
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.14.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chris Brown (Tempus Ex)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:21.017Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/269658"
},
{
"url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"
},
{
"url": "https://go.dev/issue/42559"
},
{
"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0475"
}
],
"title": "Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2020-28366",
"datePublished": "2020-11-18T00:00:00.000Z",
"dateReserved": "2020-11-09T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:33:58.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28367 (GCVE-0-2020-28367)
Vulnerability from cvelistv5
Published
2020-11-18 00:00
Modified
2024-08-04 16:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.15.0-0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:59.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/267277"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/42556"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0476"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"programRoutines": [
{
"name": "validCompilerFlags"
}
],
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.14.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Imre Rad"
}
],
"descriptions": [
{
"lang": "en",
"value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:24.544Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/267277"
},
{
"url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"
},
{
"url": "https://go.dev/issue/42556"
},
{
"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0476"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"
}
],
"title": "Arbitrary code execution via the go command with cgo in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2020-28367",
"datePublished": "2020-11-18T00:00:00.000Z",
"dateReserved": "2020-11-09T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:33:59.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}