{"id":"GO-2025-3428","summary":"Arbitrary code execution during build on darwin in cmd/go","details":"On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a \"#cgo LDFLAGS\" directive. This issue only affected go1.24rc2.","aliases":["BIT-golang-2025-22867","CVE-2025-22867"],"modified":"2025-02-08T08:11:39.466262Z","published":"2025-02-06T16:54:38Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3428","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/646996"},{"type":"REPORT","url":"https://go.dev/issue/71476"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.24.0-rc.2"},{"fixed":"1.24.0-rc.3"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go","goos":["darwin"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3428.json"}}],"schema_version":"1.7.3","credits":[{"name":"Juho Forsén of Mattermost"}]}