CVE-2022-30580 Overview
CVE-2022-30580 is a code injection vulnerability affecting the Go programming language's os/exec package. The vulnerability exists in Cmd.Start and allows execution of arbitrary binaries located in the working directory when those binaries are named either ..com or ..exe. This occurs when Cmd.Path is unset and methods such as Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput are called.
Critical Impact
Attackers who can place maliciously named executables (..com or ..exe) in a Go application's working directory can achieve code execution when the application uses os/exec without properly setting Cmd.Path.
Affected Products
- Golang Go versions prior to 1.17.11
- Golang Go versions 1.18.x prior to 1.18.3
Discovery Timeline
- 2022-08-10 - CVE-2022-30580 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-30580
Vulnerability Analysis
This code injection vulnerability (CWE-94) stems from improper handling of command execution when Cmd.Path is left unset in the os/exec package. The attack requires local access and low privileges to exploit but can result in complete compromise of confidentiality, integrity, and availability on the affected system.
When a Go application uses the os/exec package to execute commands without explicitly setting the Cmd.Path field, the runtime can inadvertently resolve to maliciously named files in the current working directory. Specifically, files named ..com or ..exe become valid execution targets, allowing an attacker to inject and run arbitrary code within the context of the vulnerable application.
Root Cause
The root cause lies in the command path resolution logic within Go's os/exec package. When Cmd.Path is not explicitly set by the developer, the package's internal resolution mechanism can incorrectly match specially crafted filenames (..com or ..exe) in the working directory. This behavior stems from insufficient validation of the resolved path before execution, allowing directory-relative filenames with unusual naming patterns to be executed as commands.
Attack Vector
The attack vector is local, requiring the attacker to have the ability to write files to the working directory of a vulnerable Go application. The exploitation scenario involves:
- An attacker places a malicious executable named ..com or ..exe in the target application's working directory
- The victim application calls Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput without properly setting Cmd.Path
- The Go runtime resolves the command to the attacker's malicious binary
- The malicious code executes with the privileges of the vulnerable application
For detailed technical information about the vulnerability mechanism, refer to the Go Issue Tracker Entry and the Golang Announcement Discussion.
Detection Methods for CVE-2022-30580
Indicators of Compromise
- Presence of files named ..com or ..exe in application working directories
- Unexpected process execution originating from Go applications using os/exec
- Anomalous file creation events in directories where Go applications operate
- Process trees showing unusual child processes spawned from Go binaries
Detection Strategies
- Monitor file system events for creation of files with suspicious names (..com, ..exe) in directories containing Go applications
- Implement application-level logging to track all os/exec invocations and their resolved paths
- Use static code analysis tools to identify Go code using os/exec without explicitly setting Cmd.Path
- Deploy endpoint detection solutions to monitor for abnormal process execution patterns
Monitoring Recommendations
- Enable file integrity monitoring on directories where Go applications execute
- Configure SIEM alerts for process execution events involving ..com or ..exe filenames
- Implement runtime application self-protection (RASP) to detect unexpected command execution
- Audit Go application dependencies and source code for vulnerable patterns
How to Mitigate CVE-2022-30580
Immediate Actions Required
- Upgrade Go to version 1.17.11 or later (for 1.17.x branch)
- Upgrade Go to version 1.18.3 or later (for 1.18.x branch)
- Audit existing Go applications for usage of os/exec without explicit Cmd.Path assignment
- Restrict write permissions to working directories of Go applications
Patch Information
The Go team has released patches addressing this vulnerability. The fix ensures proper validation of command paths before execution, preventing the resolution of maliciously named files in the working directory.
- Go Dev Change Log - Contains the changeset addressing the vulnerability
- Go Source Code Commit - The specific commit fixing the issue
- Go Vulnerability Report - Official vulnerability documentation
Workarounds
- Always explicitly set Cmd.Path when using the os/exec package
- Restrict file system permissions to prevent unauthorized file creation in application working directories
- Use absolute paths for command execution rather than relying on path resolution
- Implement input validation and sanitization for any user-controlled paths used in command execution
# Check installed Go version
go version
# Upgrade Go to patched version (example for 1.18.x)
# Download from https://go.dev/dl/ and install Go 1.18.3+
# Verify upgrade
go version
# Expected output: go version go1.18.3 (or higher)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
