CVE-2025-61731
Published: 28 January 2026
Summary
CVE-2025-61731 is a high-severity an unspecified weakness vulnerability in Golang Go. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this CVE by applying the vendor patch to cmd/go, preventing malicious #cgo pkg-config directives from enabling unauthorized file writes.
User-installed software restrictions prohibit or scan untrusted Go source files before building, blocking exploitation by malicious directives.
Malicious code protection scans Go source code at entry points to detect and eradicate files with malicious #cgo pkg-config directives prior to building.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malicious Go source file with crafted cgo directive is built by victim, directly enabling user execution of attacker-provided file that results in arbitrary writes.
NVD Description
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go…
more
pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Deeper analysisAI
CVE-2025-61731 affects the cmd/go tool in the Go programming language. The vulnerability arises when building a Go source file that includes a malicious "#cgo pkg-config:" directive. This directive passes command-line arguments to the pkg-config command, and an attacker can include a "--log-file" argument to direct pkg-config to write log data to an attacker-controlled file location, granting partial control over the written content.
A local attacker with low privileges can exploit this issue by tricking a user into building a malicious Go source file. Exploitation requires local access and low complexity with no user interaction needed. Successful attacks enable arbitrary file writes, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Go advisories detail mitigations and patches, including the fix in change list https://go.dev/cl/736711, issue discussion at https://go.dev/issue/77100, announcement at https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc, and vulnerability entry at https://pkg.go.dev/vuln/GO-2026-4339.
Details
- CWE(s)