CVE-2022-30580 in Google
Summary
by MITRE • 08/11/2022
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability described in CVE-2022-30580 represents a critical code injection flaw within the Go programming language's os/exec package that affects versions prior to Go 1.17.11 and Go 1.18.3. This vulnerability stems from improper handling of command execution when the Cmd.Path field is left unset, creating a dangerous condition where attacker-controlled input can influence the execution flow of system commands. The flaw specifically exploits the way Go's exec package resolves command paths when no explicit path is provided, leading to potential arbitrary code execution through maliciously named binaries in the working directory.
The technical nature of this vulnerability aligns with CWE-94, which describes improper control of generation of code, and more specifically with CWE-78, which addresses improper neutralization of special elements used in OS commands. The vulnerability occurs because the Go runtime attempts to locate executables in the working directory when Cmd.Path is unset, and it does so without proper sanitization or validation of the directory contents. When a binary named "..com" or "..exe" exists in the working directory, the exec package may inadvertently execute this malicious binary instead of the intended command, as the system's command resolution mechanism fails to properly distinguish between legitimate and malicious executables.
From an operational perspective, this vulnerability poses significant risks to applications that rely on Go's exec package for command execution, particularly those that accept user input or process external data without proper validation. Attackers can exploit this flaw by placing specially named binaries in the working directory of a vulnerable application, effectively bypassing normal security controls and executing arbitrary code with the privileges of the running process. The impact extends beyond simple code injection to potentially enable full system compromise, as the executed code can perform any action permitted by the application's permissions. This vulnerability is particularly dangerous in web applications, automated systems, or any environment where user input is processed through command execution mechanisms, as it can be leveraged for remote code execution attacks.
The mitigation strategy for CVE-2022-30580 primarily involves upgrading to Go versions 1.17.11 or 1.18.3, which contain patches that properly validate command paths and prevent the execution of malicious binaries in the working directory. Organizations should also implement defensive programming practices such as explicitly setting the Cmd.Path field to prevent automatic path resolution, validating and sanitizing all command inputs, and ensuring that applications run with minimal required privileges. Additionally, security monitoring should be enhanced to detect suspicious binary creation or modification in application working directories, and the principle of least privilege should be enforced to limit the impact of potential exploitation. This vulnerability demonstrates the critical importance of proper input validation and command execution handling in preventing arbitrary code execution attacks, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter, where adversaries use legitimate system tools to execute malicious code.