Cyber Posture

CVE-2025-22867

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0041 61.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22867 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-15 (Development Process, Standards, and Tools).

Threat & Defense at a Glance

What attackers do: exploitation maps to Compromise Software Dependencies and Development Tools (T1195.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates identification, reporting, and correction of the specific flaw in go1.24rc2 via upgrade to patched versions, eliminating the arbitrary code execution risk.

SA-15 Development Process, Standards, and Tools good match
prevent

Requires use of approved development tools and standards, preventing employment of the vulnerable go1.24rc2 toolchain during CGO module builds on Darwin.

CM-11 User-installed Software good match
prevent

Prevents unauthorized installation of user software like the vulnerable go1.24rc2, blocking introduction of the CGO LDFLAGS exploitation vector.

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
Why these techniques?

The vulnerability allows arbitrary code execution during Go module builds containing CGO when malicious #cgo LDFLAGS values are processed by the ld linker, directly facilitating supply chain compromise via crafted software dependencies that exploit the development toolchain.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only…

more

affected go1.24rc2.

Deeper analysisAI

CVE-2025-22867 is a vulnerability in the Go toolchain, specifically affecting version go1.24rc2 on Darwin systems. It occurs when building a Go module that contains CGO, where the usage of special values such as @executable_path, @loader_path, or @rpath in a #cgo LDFLAGS directive triggers arbitrary code execution when using Apple's version of the ld linker.

The vulnerability has a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating it can be exploited over the network with low complexity by any unauthenticated attacker without privileges or user interaction. Successful exploitation during the module build process allows arbitrary code execution, resulting in high integrity impact but no confidentiality or availability disruption.

Mitigation details are available in Go advisories and related resources, including the fix at https://go.dev/cl/646996, issue discussion at https://go.dev/issue/71476, mailing list thread at https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y, and vulnerability entry at https://pkg.go.dev/vuln/GO-2025-3428. The issue is limited to go1.24rc2, so upgrading to a subsequent Go version addresses the problem.

Details

CWE(s)
None listed

Affected Products

Apple
inferred from references and description; NVD did not file a CPE for this CVE

References