CVE-2025-61732 PUBLISHED

Potential code smuggling via doc comments in cmd/cgo

Assigner: Go
Reserved: 30.09.2025 Published: 05.02.2026 Updated: 05.02.2026

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Product Status

Vendor Go toolchain
Product cmd/cgo
Versions Default: unaffected
  • affected from 0 to 1.24.13 (excl.)
  • affected from 1.25.0-0 to 1.25.7 (excl.)

Credits

  • RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

References

Problem Types

  • CWE-94: Improper Control of Generation of Code ('Code Injection')