CVE-2023-24531: Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its out...

Description

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.83%

53.0th percentile

Probability of exploitation in the next 30 days. Learn more

References

Timeline

Published: Jul 2, 2024
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2023-24531?

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

How severe is CVE-2023-24531?

CVE-2023-24531 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.83% probability of exploitation in the next 30 days.

How do I fix CVE-2023-24531?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.