CVE-2025-22867: 
Golang vulnerability analysis and mitigation

CVE-2025-22867 is a security vulnerability discovered in the Go programming language's cmd/go package. The vulnerability was identified on February 6, 2025, affecting specifically go1.24rc2. On Darwin systems, when building a Go module containing CGO, arbitrary code execution can be triggered when using the Apple version of ld, due to usage of the @executablepath, @loaderpath, or @rpath special values in a "#cgo LDFLAGS" directive (NVD, Go Issue).

The vulnerability exists in the cmd/go package when building modules with CGO on Darwin systems. It specifically involves the handling of special path values (@executablepath, @loaderpath, or @rpath) in the "#cgo LDFLAGS" directive when using Apple's linker (ld). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a high severity issue with network attack vector and no required privileges or user interaction (Red Hat).

The vulnerability allows for arbitrary code execution during the build process on Darwin systems. This could potentially lead to unauthorized code execution in the context of the build environment, compromising the integrity of the build process and potentially the resulting binary (Go Issue).

The vulnerability has been fixed in go1.24rc3. Users running go1.24rc2 should upgrade to go1.24rc3 or a later version. No other mitigation strategies are available other than updating to the fixed version (Go Dev).

The Go development team responded promptly to the vulnerability by releasing go1.24rc3 which includes the fix. The issue was handled according to Go's security policy and was publicly disclosed after the fix was available (Go Dev).