Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package toolchain, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (30)
CVE-2023-29405 — CVSS 9.8 (critical): The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when…
CVE-2023-39320 — CVSS 9.8 (critical): The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module…
CVE-2017-15041 — CVSS 9.8 (critical): Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so…
CVE-2026-27143 — CVSS 9.8 (critical): Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow…
CVE-2021-38297 — CVSS 9.8 (critical): Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when…
CVE-2023-24531 — CVSS 9.8 (critical): Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so…
CVE-2023-29402 — CVSS 9.8 (critical): The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program…
CVE-2023-29404 — CVSS 9.8 (critical): The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when…
CVE-2024-45340 — CVSS 8.8 (high): Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request…
CVE-2018-7187 — CVSS 8.8 (high): The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only…
CVE-2026-27140 — CVSS 8.8 (high): SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to…
CVE-2025-61732 — CVSS 8.6 (high): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-4674 — CVSS 8.6 (high): The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS…
CVE-2023-39323 — CVSS 8.1 (high): Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to…
CVE-2018-16873 — CVSS 8.1 (high): In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag…
CVE-2018-16874 — CVSS 8.1 (high): In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path…
CVE-2025-61731 — CVSS 7.8 (high): Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content…
CVE-2018-6574 — CVSS 7.8 (high): Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source…
CVE-2025-22867 — CVSS 7.5 (high): On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of…
CVE-2021-3115 — CVSS 7.5 (high): Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get"…
CVE-2020-28367 — CVSS 7.5 (high): Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc…
CVE-2023-45285 — CVSS 7.5 (high): Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is…
CVE-2022-23773 — CVSS 7.5 (high): cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to…
CVE-2020-28366 — CVSS 7.5 (high): Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious…
CVE-2026-42501 — CVSS 7.5 (high): A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This…
CVE-2026-27144 — CVSS 7.1 (high): The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from…
CVE-2025-68119 — CVSS 7.0 (high): Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed…
CVE-2024-24787 — CVSS 6.4 (medium): On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of…
CVE-2026-39817 — CVSS 5.9 (medium): The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output…
CVE-2026-39819 — CVSS 5.3 (medium): The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with…