CVE-2023-29404 in cmd-goinfo

Summary

by MITRE • 06/09/2023

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 11/21/2025

The vulnerability identified as CVE-2023-29404 represents a critical security flaw in the go command's handling of cgo build processes that can lead to arbitrary code execution during compilation. This vulnerability specifically targets the Go programming language toolchain's approach to sanitizing linker flags through the #cgo LDFLAGS directive, creating a pathway for malicious actors to bypass security controls and inject unauthorized commands into the build environment. The flaw exists in how the go command processes and validates linker flag arguments, particularly affecting both the standard gc compiler and the gccgo compiler implementations. When developers execute commands such as "go get" on malicious modules or perform any build operations involving untrusted code, the vulnerability can be exploited to execute unintended commands with the privileges of the build process.

The technical root cause of this vulnerability stems from improper validation of linker flag arguments within the cgo build system, where certain non-optional flags are incorrectly treated as optional during sanitization processes. This misclassification allows attackers to smuggle disallowed flags through the validation checks, effectively bypassing the security mechanisms designed to prevent dangerous command execution. The vulnerability manifests when the go command processes #cgo LDFLAGS directives and fails to properly validate the arguments for specific linker flags that should be strictly enforced as non-optional. This flaw creates a vector where malicious input can be injected into the build process, potentially executing arbitrary code on the system where the compilation occurs. The issue is particularly concerning because it affects the fundamental build-time security of Go applications and can be triggered through common development workflows involving untrusted modules.

The operational impact of CVE-2023-29404 extends beyond simple code execution, as it can enable attackers to perform a wide range of malicious activities during the build process. Attackers can leverage this vulnerability to execute system commands, access sensitive files, modify build artifacts, or even establish persistence mechanisms within development environments. The vulnerability affects developers who regularly use "go get" to fetch dependencies from public repositories, as well as those who build applications using untrusted code sources. Since both gc and gccgo compilers are affected, the attack surface is broad across different Go build environments. The consequences can be severe for organizations that rely on Go for critical applications, as compromised builds can lead to supply chain attacks, data breaches, or the deployment of malicious code into production environments.

Mitigation strategies for CVE-2023-29404 should focus on immediate patching of affected Go versions and implementing additional security controls around dependency management. Organizations should update their Go toolchains to versions that address this vulnerability, typically those released after the vulnerability disclosure. Development teams should implement strict policies around dependency sourcing, avoiding untrusted modules from public repositories and implementing automated scanning for malicious code. The use of containerized build environments with restricted privileges can help limit the potential damage from successful exploits. Additionally, organizations should consider implementing build-time security controls that monitor and validate cgo directive usage, and establish strict approval processes for any code that requires cgo functionality. This vulnerability aligns with CWE-78 and CWE-74 standards related to command injection and improper input validation, and represents a significant concern under the ATT&CK framework's execution and privilege escalation categories where attackers can leverage build processes to execute malicious code within development environments.

Reservation

04/05/2023

Disclosure

06/09/2023

Moderation

accepted

CPE

ready

EPSS

0.01837

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!