The "go tool pack" subcommand, part of the Go toolchain, extracts files from archives without sanitizing the output path names. When a malicious archive contains filenames that navigate backward with sequences such as ../../, the extractor will write or overwrite files at arbitrary locations relative to the current working directory, effectively performing a path traversal. It involves improper input validation and allows writing to arbitrary paths, as identified by CWE-787. The vulnerability can be triggered by any input supplied to the pack command.

Any installation of the Go compiler that includes the cmd/go executable is potentially affected. No specific version range is cited, so the issue applies to all current releases that have not incorporated a fix for this directory traversal flaw.

The moderate CVSS score of 5.9 reflects the potential for local arbitrary file creation or overwrite, but the EPSS score of < 1% indicates a very low probability of exploitation. As the vulnerability is not listed in CISA KEV, there are no publicly documented active exploits. The attack requires local execution of "go tool pack" with a crafted archive; remote exploitation through the network is not possible according to the description. While the flaw does not guarantee code execution or privilege escalation, the ability to write to arbitrary files could allow an attacker to deploy malicious files if the environment permits such actions.