The vulnerability arises in the "go tool pack" subcommand, part of the Go toolchain. The subcommand concatenates the filenames contained in a malicious archive without performing path sanitization, allowing an archive such as ../../../../etc/passwd to be extracted to an arbitrary location. When an attacker supplies such an archive to the subcommand, the tool writes or overwrites files anywhere the executing user has permission to. Because this subcommand is normally invoked by the compiler with known‑good inputs, the presence of unsanitized filenames can be exploited by injecting malicious archives into build sources or package repositories. The resulting arbitrary file creation or overwrite can lead to code execution, privilege escalation, or denial of service. This weakness is a classic path‑traversal or unsanitized input flaw, commonly identified as CWE‑22 or CWE‑73.

The affected product is the Go toolchain, specifically the cmd/go executable. No specific version range is supplied in the advisory; therefore any installation of the Go compiler that includes the pack subcommand may be impacted until the fix is released.

No EPSS score is available and the flaw is not listed in the CISA KEV catalog, indicating no reported active exploitation. Nevertheless, the flaw permits local, arbitrary file write, which is a high‑severity risk when build tools are exposed to untrusted input. An attacker with the ability to run "go tool pack" and supply a crafted archive can overwrite system or application files, potentially enabling further compromise. The exploitation path requires local execution and a malicious archive; remote exploitation is not possible via network alone. The lack of a known exploit reduces immediate threat, but the potential impact for vulnerable environments remains significant.