cmd/go: potential code smuggling using doc comments (CVE-2025-61732)

[thatnealpatel]

In very select cases, it is possible to smuggle C code, that is otherwise ignored by the Go compiler, into generated files due to semantic differences in how the Go compiler and the C compiler parse comment strings.

Since this issue does not otherwise expand the capabilities of generating Go and C files using Cgo, we are treating this as a PUBLIC track issue per the Go Security Policy.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue.

This is CVE-2025-61732.

cc @golang/compiler

[gabyhelp]

Related Issues

• cmd/go: unexpected command execution in untrusted VCS repositories CVE-2025-4674 #74380 (closed)
• cmd/go: cgo code injection [CVE-2023-29402] #60167 (closed)
• cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) #63211 (closed)
• Disallow LTR, RTL & co. characters in comments #49257 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/734220 mentions this issue: cmd/go: remove user-content from doc strings in cgo ASTs.

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #77128 (for 1.24), #77129 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[ianlancetaylor]

Can we add a test for this? In any case I'm curious about the test case.

[gopherbot]

Change https://go.dev/cl/736780 mentions this issue: cmd/cgo: add test for sanitizing smuggled doc comment code