CVE-2023-29404

Name of the Vulnerable Software and Affected Versions Go versions prior to the fixed version

Description The issue is related to the incorrect handling of code generation when processing linker flags from the CgoLDFLAGS directive, allowing a remote attacker to execute arbitrary code. This can occur when running "go get" on a malicious module or when building untrusted code. The vulnerability is triggered by linker flags specified via a "#cgo LDFLAGS" directive, where non-optional flag arguments are incorrectly considered optional, enabling disallowed flags to bypass LDFLAGS sanitization. This affects both the gc and gccgo compilers.

Recommendations For Go versions prior to the fixed version, update to the latest version to resolve the issue. As a temporary workaround, consider restricting the use of the "#cgo LDFLAGS" directive to minimize the risk of exploitation. Avoid using the LDFLAGS variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.