CVE-2025-22867

High

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0041 61.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

Security Summary

CVE-2025-22867 is a vulnerability in the Go toolchain, specifically affecting version go1.24rc2 on Darwin systems. It occurs when building a Go module that contains CGO, where the usage of special values such as @executable_path, @loader_path, or @rpath in a #cgo LDFLAGS directive triggers arbitrary code execution when using Apple's version of the ld linker.

The vulnerability has a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating it can be exploited over the network with low complexity by any unauthenticated attacker without privileges or user interaction. Successful exploitation during the module build process allows arbitrary code execution, resulting in high integrity impact but no confidentiality or availability disruption.

Mitigation details are available in Go advisories and related resources, including the fix at https://go.dev/cl/646996, issue discussion at https://go.dev/issue/71476, mailing list thread at https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y, and vulnerability entry at https://pkg.go.dev/vuln/GO-2025-3428. The issue is limited to go1.24rc2, so upgrading to a subsequent Go version addresses the problem.

Details

CWE(s): None listed

References

https://go.dev/cl/646996
security@golang.org
https://go.dev/issue/71476
security@golang.org
https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y
security@golang.org
https://pkg.go.dev/vuln/GO-2025-3428
security@golang.org