The go env command in the Go toolchain prints environment variables in a shell-script-style format. A vulnerability, CVE-2023-24531, was disclosed showing that if the output of go env is executed as shell code, specially crafted environment values can cause unexpected behavior, including arbitrary command execution. This issue was addressed in Go 1.21. Discussions on WindowsForum cover the practical risks and operational impact for teams using go env in scripts, CI pipelines, and container images, emphasizing the need for safer tooling practices.
-
The Go toolchain disclosure CVE-2023-24531 reveals a deceptively simple but important weakness: the go env command prints a shell-script-style representation of environment variables without adequately sanitizing their values. If that output is executed as shell code, specially crafted...