The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Related CVEs

CVE-2023-29402

Key Information

GHSA ID

GHSA-f2cj-5636-4j38

Published

June 8, 2023 9:30 PM

Last Modified

December 13, 2024 3:30 PM

CVSS Score

9.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.