CVE-2025-22867
Description
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-22867 allows arbitrary code execution during Go builds on Darwin when CGO uses certain dynamic linker paths in LDFLAGS directives, affecting only go1.24rc2.
Root
Cause
On Darwin (macOS), when building a Go module that uses CGO (C interoperability), the Go toolchain invokes Apple's version of the dynamic linker ld. The vulnerability arises because the #cgo LDFLAGS directive can include special dynamic linker placeholders such as @executable_path, @loader_path, or @rpath. These placeholders, when interpreted by Apple's ld, can be abused to load arbitrary shared libraries, leading to arbitrary code execution during the build process [1][3]. This issue was introduced in Go 1.24 release candidate 2 (go1.24rc2) and did not affect earlier versions.
Attack
Vector and Prerequisites
An attacker must craft a Go module with a malicious #cgo LDFLAGS directive that incorporates one of the special path values (@executable_path, @loader_path, @rpath). If a developer or CI system builds this module using go build on Darwin (macOS) with the vulnerable version (go1.24rc2), the linker will process these directives and potentially load a malicious dylib from an attacker-controlled location. No additional authentication is required beyond the ability to supply the malicious Go source code (e.g., via a malicious dependency, a typosquatted package, or a compromised repository) [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary code within the context of the build process. This could lead to compromise of the build environment, exfiltration of secrets (such as signing keys or API tokens), injection of backdoors into the compiled binary, or lateral movement within the infrastructure. The vulnerability is rated High (CVSS 7.5) due to the potential for full compromise of confidentiality, integrity, and availability of the build system [1][2].
Mitigation
The vulnerability was fixed in Go 1.24 release candidate 3 (go1.24rc3). Users running go1.24rc2 should upgrade immediately to go1.24rc3 or later [1][2]. There is no known workaround for the affected version; downgrading to a stable release (e.g., Go 1.23.x) also removes the exposure since only go1.24rc2 is vulnerable. The issue was discovered and reported by Juho Forsén of Mattermost [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords7 versionspkg:bitnami/golangpkg:rpm/opensuse/go1.24&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/go1.24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 1.24.0-rc.2, < 1.24.0-rc.3+ 6 more
- (no CPE)range: >= 1.24.0-rc.2, < 1.24.0-rc.3
- (no CPE)range: < 1.24rc3-150000.1.6.1
- (no CPE)range: < 1.24rc3-1.1
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
- (no CPE)range: < 0.0.20250207T224745-1.1
- (no CPE)range: < 1.24rc3-150000.1.6.1
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.