CVE-2025-61731 in cmd-go
Summary
by MITRE • 01/28/2026
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability identified as CVE-2025-61731 represents a significant security flaw in the Go programming language toolchain that stems from improper handling of command-line arguments within the #cgo directive. This issue specifically affects the interaction between the Go build system and the pkg-config utility, creating a path for arbitrary file writes that can be exploited by attackers. The vulnerability manifests when developers use the "#cgo pkg-config:" directive in Go source files, which is designed to pass command-line arguments to the pkg-config command during the build process. When an attacker can influence the content of a Go source file, they can manipulate this directive to include malicious arguments that redirect pkg-config output to locations controlled by the attacker.
The technical exploitation of this vulnerability relies on the ability to inject malicious command-line arguments into the pkg-config directive, specifically the "--log-file" argument. This argument allows pkg-config to write its output to a specified file path, which can be controlled by an attacker who has the capability to modify the Go source code. The impact is particularly concerning because the attacker gains partial control over the file content written to the target location, potentially allowing for the injection of malicious data or the creation of files that could be used in subsequent attack vectors. The vulnerability is classified under CWE-73 as "External Control of File Name or Path," which specifically addresses situations where user-controllable input can influence file operations within a system. This weakness creates a direct pathway for attackers to manipulate file system operations through legitimate build processes, bypassing normal security controls that would otherwise prevent such operations.
From an operational perspective, this vulnerability presents a sophisticated attack surface that can be leveraged in various scenarios including supply chain attacks, where malicious actors compromise repositories or build systems to inject malicious code into legitimate Go applications. The attack requires the attacker to have write access to Go source files, which could occur through compromised developer accounts, insecure code repositories, or social engineering attacks targeting development teams. The vulnerability can be exploited during the build phase of Go applications, making it particularly dangerous because it operates at the compilation level and can affect applications that are subsequently deployed to production environments. This type of vulnerability aligns with ATT&CK technique T1059.006 for "Command and Scripting Interpreter: Python" and T1078.004 for "Valid Accounts: Cloud Accounts" as it leverages legitimate build processes to achieve malicious file operations. The attack vector is particularly insidious because it can be embedded within legitimate-looking source code changes that would not raise immediate suspicion during code reviews.
Mitigation strategies for CVE-2025-61731 should focus on both immediate defensive measures and long-term architectural improvements to the Go build process. Developers should implement strict source code validation and sanitization procedures that prevent arbitrary command-line arguments from being passed to pkg-config through cgo directives. Organizations should consider implementing build-time restrictions that limit the ability of external inputs to influence pkg-config operations, particularly when these inputs originate from untrusted sources. The recommended approach includes enforcing secure coding practices that prevent the injection of command-line arguments through user-controllable data, and implementing automated tools that can detect and flag potentially malicious cgo directive usage. Additionally, developers should be educated about the risks associated with using pkg-config directives and the importance of validating all external inputs that might influence build processes. Security monitoring should be enhanced to detect unusual file write operations that occur during build processes, particularly when these operations target unusual or non-standard file paths. The vulnerability highlights the importance of the principle of least privilege in build environments and the need for strict controls over how command-line arguments are processed within development toolchains.