CVE-2025-22867 Overview
On Darwin (macOS), building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a #cgo LDFLAGS directive. This vulnerability allows attackers to inject malicious code during the Go build process by exploiting how Apple's linker handles special path directives.
Critical Impact
Arbitrary code execution during Go module builds on macOS systems using CGO with Apple's linker, potentially compromising developer environments and CI/CD pipelines.
Affected Products
- Go version go1.24rc2 (release candidate)
- Darwin/macOS systems using Apple's ld linker
- Go modules utilizing CGO with #cgo LDFLAGS directives
Discovery Timeline
- 2025-02-06 - CVE CVE-2025-22867 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-22867
Vulnerability Analysis
This vulnerability exists in the Go toolchain's handling of CGO linker flags on Darwin systems. When building Go modules that utilize CGO, developers can specify linker flags using the #cgo LDFLAGS directive. Apple's version of ld supports special path values including @executable_path, @loader_path, and @rpath which are used to specify dynamic library search paths relative to various reference points.
The vulnerability arises because the Go build system did not properly sanitize or restrict the use of these special path values in CGO directives. An attacker could craft a malicious Go module that abuses these special values to load arbitrary code during the build process, effectively achieving code execution in the context of the developer or build system processing the module.
This type of supply chain vulnerability is particularly concerning because developers often build third-party modules as part of their development workflow, potentially without full code review of all imported dependencies.
Root Cause
The root cause stems from insufficient input validation in the Go CGO build process when processing #cgo LDFLAGS directives on Darwin systems. The special Apple linker path values (@executable_path, @loader_path, @rpath) were not filtered or restricted, allowing malicious modules to manipulate the library loading behavior of the resulting binary or the build process itself.
Attack Vector
An attacker could exploit this vulnerability through a supply chain attack vector. The attack requires the victim to build a malicious Go module containing CGO code with crafted #cgo LDFLAGS directives. This could occur through:
The attack leverages Apple's ld linker's special path resolution mechanism. By specifying paths using @executable_path, @loader_path, or @rpath, an attacker can redirect library loading to attacker-controlled locations, achieving arbitrary code execution during the build process or when the built binary is executed.
Detection Methods for CVE-2025-22867
Indicators of Compromise
- Presence of @executable_path, @loader_path, or @rpath strings in #cgo LDFLAGS directives within Go source files
- Unexpected library loading behavior during Go module builds on macOS
- Build logs showing unusual linker flag usage with Apple-specific path specifiers
- Third-party Go dependencies containing suspicious CGO LDFLAGS configurations
Detection Strategies
- Implement static analysis of Go modules to scan for dangerous #cgo LDFLAGS patterns before building
- Monitor build process system calls for unexpected library loads or file accesses
- Deploy dependency scanning tools to identify Go modules containing CGO with suspicious linker flags
- Review build logs for linker invocations containing @executable_path, @loader_path, or @rpath
Monitoring Recommendations
- Enable verbose build logging for Go projects that utilize CGO on Darwin systems
- Implement file integrity monitoring on development and CI/CD systems
- Monitor for unexpected network connections or file accesses during Go build processes
- Establish baseline behavior for Go builds and alert on deviations
How to Mitigate CVE-2025-22867
Immediate Actions Required
- Upgrade from go1.24rc2 to a patched version of Go immediately
- Audit any Go modules built with go1.24rc2 on Darwin systems for potential compromise
- Review third-party dependencies for suspicious #cgo LDFLAGS directives
- Consider rebuilding affected binaries with a patched Go version
Patch Information
The Go team has addressed this vulnerability in subsequent releases. The fix is documented in Go.dev Code Change Log CL/646996. For complete vulnerability details, refer to the Go.dev Vulnerability Report GO-2025-3428. Additional discussion can be found in the Go.dev Issue Tracker Entry and the Golang Dev Discussion Post.
Workarounds
- Avoid using go1.24rc2 for building Go modules with CGO on Darwin systems
- Implement strict code review policies for all Go dependencies, especially those using CGO
- Build Go modules in isolated environments with restricted file system access
- Consider using non-Apple linkers or building on non-Darwin systems when possible
# Check your Go version and upgrade if using go1.24rc2
go version
# Verify no suspicious LDFLAGS in your project
grep -r "@executable_path\|@loader_path\|@rpath" --include="*.go" .
# Use go mod vendor to audit third-party CGO dependencies
go mod vendor
grep -r "@executable_path\|@loader_path\|@rpath" vendor/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
