CVE-2025-61731 – This vulnerability allows attackers to write ar... (How to Fix)

Q: What is the severity of CVE-2025-61731?

CVE-2025-61731 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to write arbitrary content to files they control by exploiting the '#cgo pkg-config:' directive in Go source files. Attackers can use the '--log-file' argument to redirect pkg-config output to arbitrary locations. This affects Go applications that process untrusted source files using cmd/go.

📋 TL;DR

This vulnerability allows attackers to write arbitrary content to files they control by exploiting the '#cgo pkg-config:' directive in Go source files. Attackers can use the '--log-file' argument to redirect pkg-config output to arbitrary locations. This affects Go applications that process untrusted source files using cmd/go.

💻 Affected Systems

Products:

Go programming language

Versions: All versions before Go 1.24.0

Operating Systems: All platforms where Go is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where cmd/go processes untrusted Go source files containing #cgo directives.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write could lead to remote code execution if combined with other vulnerabilities, or data corruption by overwriting critical system files.

🟠

Likely Case

Local file system manipulation, potentially enabling privilege escalation or data exfiltration by writing to sensitive locations.

🟢

If Mitigated

Limited impact if proper sandboxing and file permission controls prevent writes to sensitive directories.

🌐 Internet-Facing: MEDIUM - Requires processing of attacker-controlled Go source files, which is less common in internet-facing services.

🏢 Internal Only: MEDIUM - Internal build systems or code processing tools that handle untrusted source files are at risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to provide malicious Go source files to cmd/go, typically through build systems or code analysis tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.0

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Restart Required: No

Instructions:

1. Download Go 1.24.0 or later from https://go.dev/dl/ 2. Install the new version 3. Rebuild any affected Go applications with the updated toolchain

🔧 Temporary Workarounds

Disable pkg-config logging

all

Configure pkg-config to not use --log-file argument

export PKG_CONFIG="pkg-config --log-file=/dev/null"

Sandbox build environments

all

Run cmd/go in restricted environments with limited file write permissions

🧯 If You Can't Patch

Implement strict input validation to reject Go source files containing suspicious #cgo directives
Run cmd/go in containers or VMs with restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is earlier than 1.24.0, the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, verify with 'go version' shows 1.24.0 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual pkg-config invocations with --log-file arguments
File writes to unexpected locations during Go builds

SIEM Query:

Process execution where command contains 'pkg-config' AND arguments contain '--log-file'

📊 Metadata

CVE ID: CVE-2025-61731

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score: 0.01% exploit probability (0.5th percentile)

Published: January 28, 2026

Last Updated: February 6, 2026

🔗 References

https://go.dev/cl/736711 Patch
https://go.dev/issue/77100 Issue Tracking
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Release Notes,Mailing List
https://pkg.go.dev/vuln/GO-2026-4339 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON