CVE-2025-61731 is an OS command injection vulnerability classified under CWE-78 affecting the Go toolchain, specifically the cmd/go command. The vulnerability stems from the way the Go build system processes the "#cgo pkg-config:" directive within Go source files. This directive passes command-line arguments to the pkg-config tool, which is used to retrieve compiler and linker flags for libraries. An attacker can craft a malicious Go source file containing a "#cgo pkg-config:" directive with a "--log-file" argument. This argument instructs pkg-config to write logs to a file at a location controlled by the attacker. Due to insufficient sanitization or neutralization of special characters and command-line arguments, this can lead to writing arbitrary content to attacker-chosen file paths. The vulnerability affects all Go versions from 0 up to and including 1.25.0. Exploitation requires local access with low privileges and no user interaction, making it relatively easy to exploit in environments where untrusted Go code can be built. The impact includes potential arbitrary file writes, which can be leveraged for privilege escalation, code execution, or persistent backdoors. The CVSS v3.1 score is 7.8, indicating high severity with high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to developers and organizations relying on Go for software builds. No official patches are listed yet, so mitigation may require restricting build environments or sanitizing inputs until fixes are released.

The vulnerability allows attackers to write files to arbitrary locations with partial control over the content, potentially enabling privilege escalation, unauthorized code execution, or persistent compromise. Since Go is widely used for building software across various industries, this flaw can affect a broad range of development environments and production systems. Attackers with local access can exploit this vulnerability to manipulate build artifacts or inject malicious code, undermining software integrity and trust. The compromise of build systems can cascade into supply chain attacks, affecting downstream consumers of the built software. Confidentiality is at risk due to potential exposure or alteration of sensitive files. Integrity is compromised as attackers can alter build outputs or configuration files. Availability may also be impacted if critical files are overwritten or corrupted. The ease of exploitation combined with the widespread use of Go increases the threat level for organizations globally.

1. Immediately restrict build environments to trusted users and sources to prevent untrusted code execution. 2. Monitor and audit build logs and file writes for suspicious activity, especially unexpected writes to unusual file paths. 3. Until patches are available, consider disabling or restricting the use of "#cgo pkg-config:" directives in Go source files from untrusted sources. 4. Employ sandboxing or containerization for build processes to limit filesystem and process access. 5. Validate and sanitize all inputs that influence build commands or directives to prevent injection of malicious arguments. 6. Keep Go toolchain versions updated and apply official patches promptly once released. 7. Implement file integrity monitoring on critical build and system files to detect unauthorized modifications. 8. Educate developers and build engineers about the risks of processing untrusted Go source files and enforce strict code review policies.