CVE-2025-61732

Published Feb 5, 2026

Last updated a month ago

CVSS high 8.6
Mysql

Overview

Description
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.6
Impact score
6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-94

Social media

Hype score
Not currently trending

  1. Top 5 Trending CVEs: 1 - CVE-2025-32711 2 - CVE-2026-1731 3 - CVE-2025-61732 4 - CVE-2026-20817 5 - CVE-2026-25526 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    10 Feb 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Go 1.25.7, 1.24.13 fix 2 CVEs https://t.co/bf31PXLyCI CVE-2025-61732: cmd/cgo: Discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the cgo binary CVE-2025-68121: crypto/tls: Unexpected session resumption when using Config.GetConfigForClient

    @oss_security

    8 Feb 2026

    355 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ๐Ÿšจ CVE-2025-61732 : GO CGO BUILD-TIME CODE INJECTION ALERT ๐Ÿšจ A high-severity build-time code injection vulnerability has been disclosed in Goโ€™s cgo toolchain, allowing attackers to smuggle malicious C/C++ code inside comments that execute during compilation, completely

    @OstorlabSec

    6 Feb 2026

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-61732: HIGH] A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.#cve,CVE-2025-61732,#cybersecurity https://t.co/FVI59rzvWe

    @CveFindCom

    5 Feb 2026

    72 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ๐ŸŸ  CVE-2025-61732 - High A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. https://t.co/BzPIeGG7I2 https://t.co/9Ua9pFQExa

    @TheHackerWire

    5 Feb 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-61732 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. https://t.co/uDbk6eiG9g

    @CVEnew

    5 Feb 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ๐ŸŽ‰ Go 1.25.7 and 1.24.13 are released! ๐Ÿ” Security: Includes a security fix for cmd/cgo (CVE-2025-61732) and an update for crypto/tls (CVE-2025-68121). ๐Ÿ—ฃ Announcement: https://t.co/gn4BwmFBh4 ๐Ÿ“ฆ Download: https://t.co/cZRQix5aeM #golang https://t.co/NnF8ayxKrK

    @golang

    4 Feb 2026

    12719 Impressions

    44 Retweets

    308 Likes

    18 Bookmarks

    2 Replies

    2 Quotes

Configurations

Related CVEs

  1. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.โ€ขCVE-2025-68121
  2. It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.โ€ขCVE-2025-22873
  3. Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.โ€ขCVE-2025-68119
  4. Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.โ€ขCVE-2025-61731
  5. The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.โ€ขCVE-2025-61726

References

Sources include official advisories and independent security research.