VYPR
Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Feb 26, 2026

Arbitrary file write using cgo pkg-config directive in cmd/go

CVE-2025-61731

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2140

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.