Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

Related CVEs

CVE-2023-24531

Key Information

GHSA ID

GHSA-cwpg-qgc6-jxvq

Published

July 2, 2024 9:32 PM

Last Modified

March 28, 2025 3:31 PM

CVSS Score

9.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.