Donate Telegram

CVE-2025-22867

HIGH CVSS 3.1: 7.5 EPSS 0.48%

Feb 06, 2025

Updated Feb 06, 2025

Apple

Parameter	Value
CVSS	7.5 (HIGH)
Vendor	Apple
Public PoC	No

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

None

Нет утечки данных

Integrity

High

Полная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v3.1

References 4

https://go.dev/cl/646996

security@golang.org

https://go.dev/issue/71476

security@golang.org

https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y

security@golang.org

https://pkg.go.dev/vuln/GO-2025-3428

security@golang.org

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30863

Apple

CVE-2026-24070

Apple

CVE-2023-54188

Apple

CVE-2025-1061

Apple

CVE-2025-22136

Apple

CVE Details

CVE ID

CVE-2025-22867

Published Date

Feb 06, 2025

Vendor

Apple

Severity

HIGH

CVSS v3.1 Score

7.5

High severity. Prioritize patching.

Attack Analysis

Exploitability 3.9/10

How easy to exploit

Impact 3.6/10

Severity of consequences

Exploit Prediction (EPSS)

Probability of Exploit 0.48%

Likelihood of exploitation in next 30 days

Percentile: 65.0th percentile (higher than 65.0% of all CVEs)

Standard patching cycle

Impact

Complete data modification

Source

Editor's Choice