Go Language Vulnerability in pkg-config Directives by Google
CVE-2025-61731

7.8HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 28 January 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2025-61731?

A vulnerability exists in Google's Go programming language relating to the '#cgo pkg-config:' directive. An attacker can exploit this by constructing a malicious Go source file that includes a '--log-file' argument, enabling the pkg-config tool to write output to a location controlled by the attacker. This flaw allows unauthorized access and can lead to potential manipulation of file contents, posing significant security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cmd/go 0 < 1.24.12

cmd/go 1.25.0 < 1.25.6

References

https://go.dev/cl/736711

https://go.dev/issue/77100

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2026
Vulnerability Reserved
Sep 30, 2025

Credit

RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

JSON

Go Toolchain

What is CVE-2025-61731?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.