CVE-2025-22867

Aliases:GO-2025-3428BIT-golang-2025-22867

Advisory lineage Upstream: 0 Downstream: 4

Downstream

OPENSUSE-SU-2025:14735-1 OPENSUSE-SU-2025:14754-1 SUSE-SU-2025:0429-1 SUSE-SU-2025:0431-1

Deferred

Published: 06 Feb 2025, 17:09

Last modified:06 Feb 2025, 21:23

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.41% LOW

0% probability -0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Feb 2025, 17:09

Published

Vulnerability first disclosed

06 Feb 2025, 21:23

Last Modified

Vulnerability information updated

Description

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.41%• Percentile: 62%

Affected Systems

go toolchain•cmd/go
≥ 1.24.0-rc.2, < 1.24.0-rc.3
Go•toolchain
≥ 1.24.0-rc.2, < 1.24.0-rc.3