Login Sign Up

CVE-2025-22867

7.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows arbitrary code execution when building Go modules containing CGO on Darwin systems using Apple's linker. Attackers can exploit special path values in CGO LDFLAGS directives to execute malicious code during compilation. Only affects developers building Go modules with CGO on macOS using go1.24rc2.

💻 Affected Systems

Products:
  • Go programming language
Versions: go1.24rc2 only
Operating Systems: Darwin (macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects builds using CGO with Apple's linker (ld). Requires building Go modules, not just running compiled binaries.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through malicious code execution during build process, potentially leading to supply chain attacks affecting downstream users.

🟠

Likely Case

Targeted attacks against developers building Go projects with CGO, potentially stealing credentials or compromising development environments.

🟢

If Mitigated

Limited impact if developers only build trusted code and maintain secure build environments.

🌐 Internet-Facing: LOW - This is primarily a development/build-time vulnerability, not typically exposed to internet-facing systems.
🏢 Internal Only: MEDIUM - Development environments and CI/CD pipelines could be compromised, potentially affecting internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to control or influence the build process, such as through malicious dependencies or compromised build environments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: go1.24rc3 and later

Vendor Advisory: https://pkg.go.dev/vuln/GO-2025-3428

Restart Required: No

Instructions:

1. Upgrade Go to version 1.24rc3 or later. 2. For go1.24rc2 users: Download and install fixed version from https://go.dev/dl/. 3. Rebuild any affected modules with the updated Go version.

🔧 Temporary Workarounds

Disable CGO during builds

all

Build Go modules without CGO support to avoid the vulnerable code path

CGO_ENABLED=0 go build

Avoid go1.24rc2

all

Use stable Go 1.23.x or wait for go1.24 stable release

🧯 If You Can't Patch

  • Implement strict source control: only build from trusted, verified repositories
  • Isolate build environments: run builds in sandboxed containers with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check if using go1.24rc2 on macOS and building modules with CGO enabled

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.24rc3 or later: go version should not show 'go1.24rc2'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected build failures when using CGO
  • Suspicious linker flags in build logs containing @executable_path, @loader_path, or @rpath

Network Indicators:

  • Unusual network connections during build process from go build commands

SIEM Query:

process_name:"go" AND cmdline:"build" AND (cmdline:"@executable_path" OR cmdline:"@loader_path" OR cmdline:"@rpath")

📊 Metadata

CVE ID: CVE-2025-22867
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score: 0.49% exploit probability (64.8th percentile)
Published: February 6, 2025
Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON