On Sun, 18 Jan 2026 20:52:42 +0100 Salvatore Bonaccorso
<[email protected]> wrote:
CVE-2025-61731[2]:
| cmd/go: bypass of flag sanitization can lead to arbitrary code
| execution
This one is problematic. An attacker could ship a go.mod containing
"toolchain go1.25.5" and introduce the vulnerability if the current
toolchain is less than 1.25.5. Since Debian has 1.24.9 (and even if it
upgrades to 1.24.12), it will get the issue.
I have engaged a bit upstream about that:
https://github.com/golang/go/issues/77099#issuecomment-3769873341. I
don't know if upstream has an history of being helpful around downstream
issues, but I suppose they should be concerned as running go 1.24.12
(up-to-date) can expose you.
