{ "config": { "protocol_version": "v1.0.0", "scanner_name": "govulncheck", "scanner_version": "v1.1.4", "db": "https://vuln.go.dev", "db_last_modified": "2026-03-23T18:16:18Z", "go_version": "go1.26.1", "scan_level": "symbol", "scan_mode": "source" } } { "SBOM": { "go_version": "go1.26.1", "modules": [ { "path": "github.com/user-management-system" }, { "path": "github.com/KyleBanks/depth", "version": "v1.2.1" }, { "path": "github.com/alibabacloud-go/alibabacloud-gateway-spi", "version": "v0.0.5" }, { "path": "github.com/alibabacloud-go/darabonba-openapi/v2", "version": "v2.1.14" }, { "path": "github.com/alibabacloud-go/debug", "version": "v1.0.1" }, { "path": "github.com/alibabacloud-go/dysmsapi-20170525/v5", "version": "v5.5.0" }, { "path": "github.com/alibabacloud-go/tea", "version": "v1.3.13" }, { "path": "github.com/alibabacloud-go/tea-utils/v2", "version": "v2.0.7" }, { "path": "github.com/aliyun/credentials-go", "version": "v1.4.5" }, { "path": "github.com/beorn7/perks", "version": "v1.0.1" }, { "path": "github.com/boombuler/barcode", "version": "v1.0.1-0.20190219062509-6c824513bacc" }, { "path": "github.com/cespare/xxhash/v2", "version": "v2.3.0" }, { "path": "github.com/clbanning/mxj/v2", "version": "v2.7.0" }, { "path": "github.com/dgryski/go-rendezvous", "version": "v0.0.0-20200823014737-9f7001d12a5f" }, { "path": "github.com/dustin/go-humanize", "version": "v1.0.1" }, { "path": "github.com/fsnotify/fsnotify", "version": "v1.7.0" }, { "path": "github.com/gabriel-vasile/mimetype", "version": "v1.4.13" }, { "path": "github.com/gin-contrib/sse", "version": "v1.1.0" }, { "path": "github.com/gin-gonic/gin", "version": "v1.12.0" }, { "path": "github.com/glebarez/go-sqlite", "version": "v1.21.2" }, { "path": "github.com/glebarez/sqlite", "version": "v1.11.0" }, { "path": "github.com/go-openapi/jsonpointer", "version": "v0.22.5" }, { "path": "github.com/go-openapi/jsonreference", "version": "v0.21.5" }, { "path": "github.com/go-openapi/spec", "version": "v0.22.4" }, { "path": "github.com/go-openapi/swag/conv", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/jsonname", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/jsonutils", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/loading", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/stringutils", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/typeutils", "version": "v0.25.5" }, { "path": "github.com/go-openapi/swag/yamlutils", "version": "v0.25.5" }, { "path": "github.com/go-playground/locales", "version": "v0.14.1" }, { "path": "github.com/go-playground/universal-translator", "version": "v0.18.1" }, { "path": "github.com/go-playground/validator/v10", "version": "v10.30.1" }, { "path": "github.com/goccy/go-yaml", "version": "v1.19.2" }, { "path": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1" }, { "path": "github.com/hashicorp/hcl", "version": "v1.0.0" }, { "path": "github.com/jinzhu/inflection", "version": "v1.0.0" }, { "path": "github.com/jinzhu/now", "version": "v1.1.5" }, { "path": "github.com/json-iterator/go", "version": "v1.1.12" }, { "path": "github.com/leodido/go-urn", "version": "v1.4.0" }, { "path": "github.com/magiconair/properties", "version": "v1.8.7" }, { "path": "github.com/mattn/go-isatty", "version": "v0.0.20" }, { "path": "github.com/mattn/go-sqlite3", "version": "v1.14.22" }, { "path": "github.com/mitchellh/mapstructure", "version": "v1.5.0" }, { "path": "github.com/modern-go/concurrent", "version": "v0.0.0-20180306012644-bacd9c7ef1dd" }, { "path": "github.com/modern-go/reflect2", "version": "v1.0.2" }, { "path": "github.com/ncruces/go-strftime", "version": "v1.0.0" }, { "path": "github.com/pelletier/go-toml/v2", "version": "v2.2.4" }, { "path": "github.com/pquerna/otp", "version": "v1.5.0" }, { "path": "github.com/prometheus/client_golang", "version": "v1.19.0" }, { "path": "github.com/prometheus/client_model", "version": "v0.6.1" }, { "path": "github.com/prometheus/common", "version": "v0.53.0" }, { "path": "github.com/quic-go/qpack", "version": "v0.6.0" }, { "path": "github.com/quic-go/quic-go", "version": "v0.59.0" }, { "path": "github.com/redis/go-redis/v9", "version": "v9.18.0" }, { "path": "github.com/remyoudompheng/bigfft", "version": "v0.0.0-20230129092748-24d4a6f8daec" }, { "path": "github.com/richardlehane/mscfb", "version": "v1.0.4" }, { "path": "github.com/richardlehane/msoleps", "version": "v1.0.4" }, { "path": "github.com/sagikazarmark/slog-shim", "version": "v0.1.0" }, { "path": "github.com/spf13/afero", "version": "v1.11.0" }, { "path": "github.com/spf13/cast", "version": "v1.6.0" }, { "path": "github.com/spf13/pflag", "version": "v1.0.5" }, { "path": "github.com/spf13/viper", "version": "v1.19.0" }, { "path": "github.com/subosito/gotenv", "version": "v1.6.0" }, { "path": "github.com/swaggo/files", "version": "v1.0.1" }, { "path": "github.com/swaggo/gin-swagger", "version": "v1.6.1" }, { "path": "github.com/swaggo/swag", "version": "v1.16.6" }, { "path": "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common", "version": "v1.3.57" }, { "path": "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sms", "version": "v1.3.57" }, { "path": "github.com/tiendc/go-deepcopy", "version": "v1.6.0" }, { "path": "github.com/tjfoc/gmsm", "version": "v1.4.1" }, { "path": "github.com/ugorji/go/codec", "version": "v1.3.1" }, { "path": "github.com/xuri/efp", "version": "v0.0.1" }, { "path": "github.com/xuri/excelize/v2", "version": "v2.9.1" }, { "path": "github.com/xuri/nfp", "version": "v0.0.1" }, { "path": "go.mongodb.org/mongo-driver/v2", "version": "v2.5.0" }, { "path": "go.uber.org/atomic", "version": "v1.11.0" }, { "path": "go.yaml.in/yaml/v3", "version": "v3.0.4" }, { "path": "golang.org/x/crypto", "version": "v0.49.0" }, { "path": "golang.org/x/exp", "version": "v0.0.0-20251023183803-a4bb9ffd2546" }, { "path": "golang.org/x/mod", "version": "v0.34.0" }, { "path": "golang.org/x/net", "version": "v0.52.0" }, { "path": "golang.org/x/oauth2", "version": "v0.18.0" }, { "path": "golang.org/x/sync", "version": "v0.20.0" }, { "path": "golang.org/x/sys", "version": "v0.42.0" }, { "path": "golang.org/x/text", "version": "v0.35.0" }, { "path": "golang.org/x/tools", "version": "v0.43.0" }, { "path": "google.golang.org/protobuf", "version": "v1.36.11" }, { "path": "gopkg.in/ini.v1", "version": "v1.67.0" }, { "path": "gopkg.in/yaml.v3", "version": "v3.0.1" }, { "path": "gorm.io/driver/sqlite", "version": "v1.6.0" }, { "path": "gorm.io/gorm", "version": "v1.30.0" }, { "path": "modernc.org/libc", "version": "v1.67.6" }, { "path": "modernc.org/mathutil", "version": "v1.7.1" }, { "path": "modernc.org/memory", "version": "v1.11.0" }, { "path": "modernc.org/sqlite", "version": "v1.46.1" }, { "path": "stdlib", "version": "v1.26.1" } ], "roots": [ "github.com/user-management-system/internal/auth/providers", "github.com/user-management-system/internal/auth", "github.com/user-management-system/internal/cache", "github.com/user-management-system/internal/config", "github.com/user-management-system/internal/domain", "github.com/user-management-system/internal/pkg/errors", "github.com/user-management-system/internal/repository", "github.com/user-management-system/internal/security", "github.com/user-management-system/internal/api/middleware", "github.com/user-management-system/internal/response", "github.com/user-management-system/internal/service", "github.com/user-management-system/internal/api/handler", "github.com/user-management-system/internal/api/router", "github.com/user-management-system/internal/database", "github.com/user-management-system/internal/monitoring", "github.com/user-management-system/cmd/server", "github.com/user-management-system/docs", "github.com/user-management-system/frontend/admin/node_modules/flatted/golang/pkg/flatted", "github.com/user-management-system/internal/concurrent", "github.com/user-management-system/internal/e2e", "github.com/user-management-system/internal/integration", "github.com/user-management-system/internal/middleware", "github.com/user-management-system/internal/models", "github.com/user-management-system/internal/performance", "github.com/user-management-system/internal/robustness", "github.com/user-management-system/internal/testdb", "github.com/user-management-system/pkg/errors", "github.com/user-management-system/pkg/response" ] } } { "progress": { "message": "Fetching vulnerabilities from the database..." } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2160", "modified": "2024-05-20T16:03:47Z", "published": "2023-11-02T21:44:01Z", "aliases": [ "CVE-2023-46239", "GHSA-3q6m-v84f-6p9h" ], "summary": "Panic during QUIC handshake in github.com/quic-go/quic-go", "details": "The QUIC handshake can cause a panic when processing a certain sequence of frames. A malicious peer can deliberately trigger this panic.", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.37.0" }, { "fixed": "0.37.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go" } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2160", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2459", "modified": "2024-05-20T16:03:47Z", "published": "2024-01-23T17:04:50Z", "aliases": [ "CVE-2023-49295", "GHSA-ppxx-5m9h-6vxf" ], "summary": "Denial of service via path validation in github.com/quic-go/quic-go", "details": "Denial of service via path validation in github.com/quic-go/quic-go", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.37.7" }, { "introduced": "0.38.0" }, { "fixed": "0.38.2" }, { "introduced": "0.39.0" }, { "fixed": "0.39.4" }, { "introduced": "0.40.0" }, { "fixed": "0.40.1" } ] } ], "ecosystem_specific": {} } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49295" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8" }, { "type": "WEB", "url": "https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2459", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2682", "modified": "2024-05-20T16:03:47Z", "published": "2024-04-05T16:53:41Z", "aliases": [ "CVE-2024-22189", "GHSA-c33x-xqrf-c478" ], "summary": "Denial of service via connection starvation in github.com/quic-go/quic-go", "details": "An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.42.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go", "symbols": [ "Dial", "DialAddr", "DialAddrEarly", "DialEarly", "Listen", "ListenAddr", "ListenAddrEarly", "ListenEarly", "Transport.Dial", "Transport.DialEarly", "Transport.Listen", "Transport.ListenEarly", "connIDGenerator.Retire", "connIDGenerator.SetMaxActiveConnIDs", "connIDManager.Add", "connIDManager.Get", "connection.AcceptStream", "connection.AcceptUniStream", "connection.OpenStream", "connection.OpenStreamSync", "connection.OpenUniStream", "connection.OpenUniStreamSync", "connection.run", "framerI.AppendStreamFrames", "framerI.QueueControlFrame", "packetPacker.AppendPacket", "packetPacker.MaybePackProbePacket", "packetPacker.PackAckOnlyPacket", "packetPacker.PackApplicationClose", "packetPacker.PackCoalescedPacket", "packetPacker.PackConnectionClose", "packetPacker.PackMTUProbePacket", "receiveStream.CancelRead", "receiveStream.CloseRemote", "receiveStream.Read", "sendStream.CancelWrite", "streamsMap.AcceptStream", "streamsMap.AcceptUniStream", "streamsMap.DeleteStream", "streamsMap.HandleMaxStreamsFrame", "streamsMap.OpenStream", "streamsMap.OpenStreamSync", "streamsMap.OpenUniStream", "streamsMap.OpenUniStreamSync", "streamsMap.UpdateLimits", "windowUpdateQueue.QueueAll" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a" }, { "type": "WEB", "url": "https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management" } ], "credits": [ { "name": "marten-seemann" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2682", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3302", "modified": "2024-12-12T21:59:58Z", "published": "2024-12-04T16:13:30Z", "aliases": [ "CVE-2024-53259", "GHSA-px8v-pp82-rcvr" ], "summary": "ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go", "details": "ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.48.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go", "goos": [ "linux" ], "symbols": [ "Dial", "DialAddr", "DialAddrEarly", "DialEarly", "Listen", "ListenAddr", "ListenAddrEarly", "ListenEarly", "StreamError.Error", "Transport.Close", "Transport.Dial", "Transport.DialEarly", "Transport.Listen", "Transport.ListenEarly", "Transport.ReadNonQUICPacket", "Transport.WriteTo", "connIDGenerator.RemoveAll", "connIDGenerator.ReplaceWithClosed", "connIDGenerator.Retire", "connIDGenerator.SetHandshakeComplete", "connIDGenerator.SetMaxActiveConnIDs", "connIDManager.Add", "connIDManager.AddFromPreferredAddress", "connIDManager.Get", "connMultiplexer.RemoveConn", "connection.AcceptStream", "connection.AcceptUniStream", "connection.CloseWithError", "connection.OpenStream", "connection.OpenStreamSync", "connection.OpenUniStream", "connection.OpenUniStreamSync", "cryptoStream.HandleCryptoFrame", "cryptoStreamManager.Drop", "cryptoStreamManager.GetCryptoData", "cryptoStreamManager.HandleCryptoFrame", "datagramQueue.HandleDatagramFrame", "framer.AppendControlFrames", "mtuFinderAckHandler.OnAcked", "oobConn.ReadPacket", "packetHandlerMap.Add", "packetHandlerMap.AddWithConnID", "packetHandlerMap.Close", "packetHandlerMap.GetStatelessResetToken", "packetHandlerMap.Remove", "packetHandlerMap.ReplaceWithClosed", "packetHandlerMap.Retire", "packetPacker.AppendPacket", "packetPacker.MaybePackProbePacket", "packetPacker.PackAckOnlyPacket", "packetPacker.PackApplicationClose", "packetPacker.PackCoalescedPacket", "packetPacker.PackConnectionClose", "packetPacker.PackMTUProbePacket", "packetUnpacker.UnpackLongHeader", "packetUnpacker.UnpackShortHeader", "receiveStream.CancelRead", "receiveStream.Read", "retransmissionQueue.DropPackets", "sconn.Write", "sendQueue.Run", "sendStream.CancelWrite", "sendStream.Close", "sendStream.Write", "setDF", "stream.Close", "streamsMap.AcceptStream", "streamsMap.AcceptUniStream", "streamsMap.DeleteStream", "streamsMap.GetOrOpenReceiveStream", "streamsMap.GetOrOpenSendStream", "streamsMap.OpenStream", "streamsMap.OpenStreamSync", "streamsMap.OpenUniStream", "streamsMap.OpenUniStreamSync" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/pull/4729" }, { "type": "WEB", "url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2" }, { "type": "REPORT", "url": "https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3302", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3735", "modified": "2025-06-03T17:28:53Z", "published": "2025-06-03T17:28:53Z", "aliases": [ "CVE-2025-29785", "GHSA-j972-j939-p2v3" ], "summary": "Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go", "details": "Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.50.0" }, { "fixed": "0.50.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go/internal/ackhandler", "symbols": [ "sentPacketHandler.OnLossDetectionTimeout", "sentPacketHandler.ReceivedAck", "sentPacketHandler.detectAndRemoveAckedPackets", "sentPacketHandler.detectLostPathProbes" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de" }, { "type": "REPORT", "url": "https://github.com/quic-go/quic-go/issues/4981" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3735", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4017", "modified": "2025-11-05T18:41:07Z", "published": "2025-11-05T18:41:07Z", "aliases": [ "CVE-2025-59530", "GHSA-47m2-4cr7-mhcw" ], "summary": "Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go", "details": "Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.49.1" }, { "introduced": "0.50.0" }, { "fixed": "0.54.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go", "symbols": [ "Conn.handleHandshakeConfirmed", "Dial", "DialAddr", "DialAddrEarly", "DialEarly", "Listen", "ListenAddr", "ListenAddrEarly", "ListenEarly", "Transport.Dial", "Transport.DialEarly", "Transport.Listen", "Transport.ListenEarly" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/pull/5354" }, { "type": "WEB", "url": "https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4017", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4233", "modified": "2025-12-15T20:37:41Z", "published": "2025-12-15T20:37:41Z", "aliases": [ "CVE-2025-64702", "GHSA-g754-hx8w-x2g6" ], "summary": "HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go", "details": "HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go", "affected": [ { "package": { "name": "github.com/quic-go/quic-go", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.57.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/quic-go/quic-go/http3", "symbols": [ "ClientConn.OpenRequestStream", "ClientConn.RoundTrip", "ConfigureTLSConfig", "Conn.OpenStream", "Conn.OpenStreamSync", "Conn.OpenUniStream", "Conn.OpenUniStreamSync", "Conn.decodeTrailers", "ErrCode.String", "Error.Error", "ListenAndServeQUIC", "ListenAndServeTLS", "ParseCapsule", "RequestStream.CancelRead", "RequestStream.CancelWrite", "RequestStream.Close", "RequestStream.Read", "RequestStream.ReadResponse", "RequestStream.SendRequestHeader", "RequestStream.Write", "Server.Close", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeListener", "Server.ServeQUICConn", "Server.Shutdown", "Server.handleRequest", "Server.maxHeaderBytes", "Stream.Read", "Stream.Write", "Transport.Close", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "body.Close", "body.Read", "cancelingReader.Read", "countingByteReader.Read", "countingByteReader.ReadByte", "errConnUnusable.Error", "exactReader.Read", "frameParser.ParseNext", "gzipReader.Close", "gzipReader.Read", "hijackableBody.Close", "hijackableBody.Read", "parseHeaders", "requestFromHeaders", "requestWriter.WriteRequestHeader", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.HTTPStream", "responseWriter.Write", "responseWriter.WriteHeader", "roundTripperWithCount.Close", "stateTrackingStream.CancelRead", "stateTrackingStream.CancelWrite", "stateTrackingStream.Close", "stateTrackingStream.Read", "stateTrackingStream.Write", "tracingReader.Read", "updateResponseFromHeaders" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6" }, { "type": "FIX", "url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4233", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2020-0012", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-9283", "GHSA-ffhg-7mh4-33c4" ], "summary": "Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh", "details": "An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20200220183623-bac4c82f6975" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "CertChecker.Authenticate", "CertChecker.CheckCert", "CertChecker.CheckHostKey", "Certificate.Verify", "Dial", "NewClientConn", "NewPublicKey", "NewServerConn", "NewSignerFromKey", "NewSignerFromSigner", "ParseAuthorizedKey", "ParseKnownHosts", "ParsePrivateKey", "ParsePrivateKeyWithPassphrase", "ParsePublicKey", "ParseRawPrivateKey", "ParseRawPrivateKeyWithPassphrase", "ed25519PublicKey.Verify", "parseED25519", "parseSKEd25519", "skEd25519PublicKey.Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/220357" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/3L45YRc91SY" } ], "credits": [ { "name": "Alex Gaynor, Fish in a Barrel" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2020-0012", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2020-0013", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2017-3204", "GHSA-xhjq-w7xm-p8qj" ], "summary": "Man-in-the-middle attack in golang.org/x/crypto/ssh", "details": "By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20170330155735-e4e2799dd7aa" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "Dial", "NewClientConn" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/38701" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991" }, { "type": "REPORT", "url": "https://go.dev/issue/19767" }, { "type": "WEB", "url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/" } ], "credits": [ { "name": "Phil Pennock" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2020-0013", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0227", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:35:32Z", "aliases": [ "CVE-2020-29652", "GHSA-3vm4-22fp-5rfm" ], "summary": "Panic on crafted authentication request message in golang.org/x/crypto/ssh", "details": "Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20201216223049-8b5274cf687f" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "NewServerConn", "connection.serverAuthenticate" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/278852" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1" } ], "credits": [ { "name": "Joern Schneewesiz (GitLab Security Research Team)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0227", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0356", "modified": "2024-05-20T16:03:47Z", "published": "2022-04-25T20:38:40Z", "aliases": [ "CVE-2022-27191", "GHSA-8c26-wmh5-6g9v" ], "summary": "Denial of service via crafted Signer in golang.org/x/crypto/ssh", "details": "Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that\n1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are unaffected.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220314234659-1baeb1ce4c0b" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "ServerConfig.AddHostKey" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/392355" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0356", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0209", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:15:25Z", "aliases": [ "CVE-2019-11840", "GHSA-r5c5-pr8j-pfp7" ], "summary": "Insufficiently random values in golang.org/x/crypto/salsa20", "details": "XORKeyStream generates incorrect and insecure output for very large inputs.\n\nIf more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.\n\nThe issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.\n\nArchitectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190320223903-b7391e95e576" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/salsa20/salsa", "goarch": [ "amd64" ], "symbols": [ "XORKeyStream" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/168406" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d" }, { "type": "REPORT", "url": "https://go.dev/issue/30965" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ" } ], "credits": [ { "name": "Michael McLoughlin" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0209", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0229", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-06T18:23:48Z", "aliases": [ "CVE-2020-7919", "GHSA-cjjc-xp8v-855w" ], "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte", "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.16" }, { "introduced": "1.13.0-0" }, { "fixed": "1.13.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509" } ] } }, { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20200124225646-8b5121be2f68" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/cryptobyte" } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/216680" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" }, { "type": "FIX", "url": "https://go.dev/cl/216677" }, { "type": "REPORT", "url": "https://go.dev/issue/36837" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" } ], "credits": [ { "name": "Project Wycheproof" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0229", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0968", "modified": "2024-05-20T16:03:47Z", "published": "2022-09-13T03:32:38Z", "aliases": [ "CVE-2021-43565", "GHSA-gwc9-m7rh-j2ww" ], "summary": "Panic on malformed packets in golang.org/x/crypto/ssh", "details": "Unauthenticated clients can cause a panic in SSH servers.\n\nWhen using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20211202192323-5770296d904e" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "Dial", "NewClientConn", "NewServerConn", "chacha20Poly1305Cipher.readCipherPacket", "curve25519sha256.Client", "curve25519sha256.Server", "dhGEXSHA.Client", "dhGEXSHA.Server", "dhGroup.Client", "dhGroup.Server", "ecdh.Client", "ecdh.Server", "gcmCipher.readCipherPacket" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs" }, { "type": "REPORT", "url": "https://go.dev/issues/49932" }, { "type": "FIX", "url": "https://go.dev/cl/368814/" } ], "credits": [ { "name": "Rod Hynes (Psiphon Inc)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0968", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1992", "modified": "2024-05-20T16:03:47Z", "published": "2023-08-23T14:38:42Z", "aliases": [ "CVE-2019-11841", "GHSA-x3jr-pf6g-c48f" ], "summary": "Misleading message verification in golang.org/x/crypto/openpgp/clearsign", "details": "The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message.\n\nWith fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190424203555-c05e17bb3b2d" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/openpgp/clearsign", "symbols": [ "Decode" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go-review.git.corp.google.com/c/crypto/+/173778" }, { "type": "FIX", "url": "https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442" }, { "type": "WEB", "url": "https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ" } ], "credits": [ { "name": "Aida Mynzhasova (SEC Consult Vulnerability Lab)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1992", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2402", "modified": "2024-05-20T16:03:47Z", "published": "2023-12-18T21:18:26Z", "aliases": [ "CVE-2023-48795", "GHSA-45x7-px36-x8w8" ], "summary": "Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto", "details": "A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware.\n\nThe impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features.\n\nThis protocol weakness was also fixed in OpenSSH 9.6.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.17.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "Client.Dial", "Client.DialContext", "Client.DialTCP", "Client.Listen", "Client.ListenTCP", "Client.ListenUnix", "Client.NewSession", "Dial", "DiscardRequests", "NewClient", "NewClientConn", "NewServerConn", "Request.Reply", "Session.Close", "Session.CombinedOutput", "Session.Output", "Session.RequestPty", "Session.RequestSubsystem", "Session.Run", "Session.SendRequest", "Session.Setenv", "Session.Shell", "Session.Signal", "Session.Start", "Session.WindowChange", "channel.Accept", "channel.Close", "channel.CloseWrite", "channel.Read", "channel.ReadExtended", "channel.Reject", "channel.SendRequest", "channel.Write", "channel.WriteExtended", "connectionState.readPacket", "connectionState.writePacket", "curve25519sha256.Client", "curve25519sha256.Server", "dhGEXSHA.Client", "dhGEXSHA.Server", "dhGroup.Client", "dhGroup.Server", "ecdh.Client", "ecdh.Server", "extChannel.Read", "extChannel.Write", "handshakeTransport.enterKeyExchange", "handshakeTransport.readLoop", "handshakeTransport.sendKexInit", "mux.OpenChannel", "mux.SendRequest", "sessionStdin.Close", "sshClientKeyboardInteractive.Challenge", "tcpListener.Accept", "tcpListener.Close", "transport.readPacket", "transport.writePacket", "unixListener.Accept", "unixListener.Close" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/64784" }, { "type": "FIX", "url": "https://go.dev/cl/550715" }, { "type": "FIX", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "type": "WEB", "url": "https://www.openssh.com/txt/release-9.6" } ], "credits": [ { "name": "Fabian Bäumer (Ruhr University Bochum)" }, { "name": "Marcus Brinkmann (Ruhr University Bochum)" }, { "name": "Jörg Schwenk (Ruhr University Bochum)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2402", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2961", "modified": "2024-07-02T19:27:52Z", "published": "2024-07-02T19:27:52Z", "aliases": [ "CVE-2022-30636" ], "summary": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", "details": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.\n\nSince the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220525230936-793ad666bf5e" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/acme/autocert", "goos": [ "windows" ], "symbols": [ "DirCache.Delete", "DirCache.Get", "DirCache.Put", "HostWhitelist", "Manager.GetCertificate", "Manager.Listener", "NewListener", "listener.Accept", "listener.Close" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/408694" }, { "type": "REPORT", "url": "https://go.dev/issue/53082" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2961", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3321", "modified": "2025-02-18T20:32:01Z", "published": "2024-12-11T18:40:19Z", "aliases": [ "CVE-2024-45337", "GHSA-v778-237x-gjrc" ], "summary": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto", "details": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\nThe documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\nFor example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\nSince this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\nUsers should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.31.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "NewServerConn", "ServerConfig.PublicKeyCallback", "connection.serverAuthenticate" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909" }, { "type": "FIX", "url": "https://go.dev/cl/635315" }, { "type": "REPORT", "url": "https://go.dev/issue/70779" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ" } ], "credits": [ { "name": "Damien Tournoud (Platform.sh / Upsun)" }, { "name": "Patrick Dawkins (Platform.sh / Upsun)" }, { "name": "Vince Parker (Platform.sh / Upsun)" }, { "name": "Jules Duvivier (Platform.sh / Upsun)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3321", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3487", "modified": "2025-02-26T02:51:51Z", "published": "2025-02-26T02:51:51Z", "aliases": [ "CVE-2025-22869" ], "summary": "Potential denial of service in golang.org/x/crypto", "details": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.35.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "Client.Dial", "Client.DialContext", "Client.DialTCP", "Client.Listen", "Client.ListenTCP", "Client.ListenUnix", "Client.NewSession", "Dial", "DiscardRequests", "NewClient", "NewClientConn", "NewServerConn", "Request.Reply", "Session.Close", "Session.CombinedOutput", "Session.Output", "Session.RequestPty", "Session.RequestSubsystem", "Session.Run", "Session.SendRequest", "Session.Setenv", "Session.Shell", "Session.Signal", "Session.Start", "Session.WindowChange", "channel.Accept", "channel.Close", "channel.CloseWrite", "channel.Read", "channel.ReadExtended", "channel.Reject", "channel.SendRequest", "channel.Write", "channel.WriteExtended", "connection.SendAuthBanner", "curve25519sha256.Client", "curve25519sha256.Server", "dhGEXSHA.Client", "dhGEXSHA.Server", "dhGroup.Client", "dhGroup.Server", "ecdh.Client", "ecdh.Server", "extChannel.Read", "extChannel.Write", "handshakeTransport.kexLoop", "handshakeTransport.recordWriteError", "handshakeTransport.writePacket", "mux.OpenChannel", "mux.SendRequest", "newHandshakeTransport", "sessionStdin.Close", "sshClientKeyboardInteractive.Challenge", "tcpListener.Accept", "tcpListener.Close", "unixListener.Accept", "unixListener.Close" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/652135" }, { "type": "REPORT", "url": "https://go.dev/issue/71931" } ], "credits": [ { "name": "Yuichi Watanabe" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3487", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4116", "modified": "2025-12-16T16:23:22Z", "published": "2025-11-13T21:12:03Z", "aliases": [ "CVE-2025-47913" ], "summary": "Potential denial of service in golang.org/x/crypto/ssh/agent", "details": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.43.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh/agent", "symbols": [ "agentKeyringSigner.Sign", "agentKeyringSigner.SignWithAlgorithm", "client.List", "client.Sign", "client.SignWithFlags", "client.Signers" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/700295" }, { "type": "REPORT", "url": "https://go.dev/issue/75178" }, { "type": "WEB", "url": "https://github.com/advisories/GHSA-56w8-48fp-6mgv" } ], "credits": [ { "name": "Jakub Ciolek" }, { "name": "Nicola Murino" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4116", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4134", "modified": "2025-11-20T16:52:31Z", "published": "2025-11-19T20:11:57Z", "aliases": [ "CVE-2025-58181", "GHSA-j5w8-q4qc-rx2x" ], "summary": "Unbounded memory consumption in golang.org/x/crypto/ssh", "details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.45.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh", "symbols": [ "NewServerConn", "parseGSSAPIPayload" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA" }, { "type": "FIX", "url": "https://go.dev/cl/721961" }, { "type": "REPORT", "url": "https://go.dev/issue/76363" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4134", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4135", "modified": "2025-11-20T16:52:31Z", "published": "2025-11-19T20:11:57Z", "aliases": [ "CVE-2025-47914", "GHSA-f6x5-jh6r-wrfv" ], "summary": "Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent", "details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.", "affected": [ { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.45.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/ssh/agent", "symbols": [ "ForwardToAgent", "ServeAgent", "parseConstraints" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA" }, { "type": "FIX", "url": "https://go.dev/cl/721960" }, { "type": "REPORT", "url": "https://go.dev/issue/76364" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4135", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0493", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:30:12Z", "aliases": [ "CVE-2022-29526", "GHSA-p782-xgp4-8hr8" ], "summary": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix", "details": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.10" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "symbols": [ "Faccessat" ] } ] } }, { "package": { "name": "golang.org/x/sys", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220412211240-33da011f77ad" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/sys/unix", "symbols": [ "Faccessat" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/399539" }, { "type": "REPORT", "url": "https://go.dev/issue/52313" }, { "type": "FIX", "url": "https://go.dev/cl/400074" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" } ], "credits": [ { "name": "Joël Gähwiler (@256dpi)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0493", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2020-0015", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-14040", "GHSA-5rcv-m4m3-hfh7" ], "summary": "Infinite loop when decoding some inputs in golang.org/x/text", "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.", "affected": [ { "package": { "name": "golang.org/x/text", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/text/encoding/unicode", "symbols": [ "bomOverride.Transform", "utf16Decoder.Transform" ] }, { "path": "golang.org/x/text/transform", "symbols": [ "String" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/238238" }, { "type": "FIX", "url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e" }, { "type": "REPORT", "url": "https://go.dev/issue/39491" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0" } ], "credits": [ { "name": "@abacabadabacaba" }, { "name": "Anton Gyllenberg" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2020-0015", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0113", "modified": "2024-05-20T16:03:47Z", "published": "2021-10-06T17:51:21Z", "aliases": [ "CVE-2021-38561", "GHSA-ppp9-7jff-5vj2" ], "summary": "Out-of-bounds read in golang.org/x/text/language", "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", "affected": [ { "package": { "name": "golang.org/x/text", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/text/language", "symbols": [ "MatchStrings", "MustParse", "Parse", "ParseAcceptLanguage" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/340830" }, { "type": "FIX", "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0113", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1059", "modified": "2024-05-20T16:03:47Z", "published": "2022-10-11T18:16:24Z", "aliases": [ "CVE-2022-32149", "GHSA-69ch-w2m2-3vjp" ], "summary": "Denial of service via crafted Accept-Language header in golang.org/x/text/language", "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", "affected": [ { "package": { "name": "golang.org/x/text", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.8" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/text/language", "symbols": [ "MatchStrings", "ParseAcceptLanguage" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56152" }, { "type": "FIX", "url": "https://go.dev/cl/442235" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" } ], "credits": [ { "name": "Adam Korczynski (ADA Logics)" }, { "name": "OSS-Fuzz" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1059", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3488", "modified": "2025-02-26T02:51:51Z", "published": "2025-02-26T02:51:51Z", "aliases": [ "CVE-2025-22868" ], "summary": "Unexpected memory consumption during token parsing in golang.org/x/oauth2", "details": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.", "affected": [ { "package": { "name": "golang.org/x/oauth2", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.27.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/oauth2/jws", "symbols": [ "Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/652155" }, { "type": "REPORT", "url": "https://go.dev/issue/71490" } ], "credits": [ { "name": "jub0bs" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3488", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0603", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-22T18:00:47Z", "aliases": [ "CVE-2022-28948", "GHSA-hp87-p4gw-j4gq" ], "summary": "Panic in gopkg.in/yaml.v3", "details": "An issue in the Unmarshal function can cause a program to panic when attempting to deserialize invalid input.", "affected": [ { "package": { "name": "gopkg.in/yaml.v3", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.0-20220521103104-8f96da9f5d5e" } ] } ], "ecosystem_specific": { "imports": [ { "path": "gopkg.in/yaml.v3", "symbols": [ "Unmarshal" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754" }, { "type": "WEB", "url": "https://github.com/go-yaml/yaml/issues/666" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0603", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0067", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2021-27919" ], "summary": "Panic when opening archives in archive/zip", "details": "Using Reader.Open on an archive containing a file with a path prefixed by \"../\" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.16.0-0" }, { "fixed": "1.16.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "toValidName" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/300489" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8" }, { "type": "REPORT", "url": "https://go.dev/issue/44916" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0067", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0069", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-28362" ], "summary": "Panic during division of very large numbers in math/big", "details": "A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.14.0-0" }, { "fixed": "1.14.12" }, { "introduced": "1.15.0-0" }, { "fixed": "1.15.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "math/big", "symbols": [ "nat.divRecursiveStep" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/269657" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/1e1fa5903b760c6714ba17e50bf850b01f49135c" }, { "type": "REPORT", "url": "https://go.dev/issue/42552" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0069", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0142", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:11:09Z", "aliases": [ "CVE-2020-16845", "GHSA-q6gq-997w-f55g" ], "summary": "Unbounded read from invalid inputs in encoding/binary", "details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.13.15" }, { "introduced": "1.14.0-0" }, { "fixed": "1.14.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/binary", "symbols": [ "ReadUvarint", "ReadVarint" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/247120" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258" }, { "type": "REPORT", "url": "https://go.dev/issue/40618" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo" } ], "credits": [ { "name": "Diederik Loerakker" }, { "name": "Jonny Rhea" }, { "name": "Raúl Kripalani" }, { "name": "Preston Van Loon" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0142", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0154", "modified": "2024-06-03T20:51:31Z", "published": "2022-05-25T21:11:41Z", "aliases": [ "CVE-2014-7189" ], "summary": "Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls", "details": "When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.1.0-0" }, { "fixed": "1.3.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "checkForResumption", "decryptTicket" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/148080043" }, { "type": "REPORT", "url": "https://go.dev/issue/53085" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ" } ], "credits": [ { "name": "Go Team" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0154", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0159", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-05T21:39:14Z", "aliases": [ "CVE-2015-5739", "CVE-2015-5740", "CVE-2015-5741" ], "summary": "Request smuggling due to improper header parsing in net/http", "details": "HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.4.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "CanonicalMIMEHeaderKey", "body.readLocked", "canonicalMIMEHeaderKey", "chunkWriter.writeHeader", "fixLength", "fixTransferEncoding", "readTransfer", "transferWriter.shouldSendContentLength", "validHeaderFieldByte" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/13148" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f" }, { "type": "FIX", "url": "https://go.dev/cl/11772" }, { "type": "FIX", "url": "https://go.dev/cl/11810" }, { "type": "FIX", "url": "https://go.dev/cl/12865" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87" }, { "type": "REPORT", "url": "https://go.dev/issue/12027" }, { "type": "REPORT", "url": "https://go.dev/issue/11930" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ" } ], "credits": [ { "name": "Jed Denlea" }, { "name": "Régis Leroy" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0159", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0160", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-05T15:31:16Z", "aliases": [ "CVE-2015-8618" ], "summary": "Incorrect calculation affecting RSA computations in math/big", "details": "Int.Exp Montgomery mishandled carry propagation and produced an incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.\n\nThis issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.\n\nSpecifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.\n\nNote that on 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.5.0-0" }, { "fixed": "1.5.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "math/big", "symbols": [ "nat.expNNMontgomery", "nat.montgomery" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/18491" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c" }, { "type": "FIX", "url": "https://go.dev/cl/17672" }, { "type": "REPORT", "url": "https://go.dev/issue/13515" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MEATuOi_ei4" } ], "credits": [ { "name": "Nick Craig-Wood" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0160", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0163", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-05T22:41:50Z", "aliases": [ "CVE-2016-3958" ], "summary": "Privilege escalation on Windows via malicious DLL in syscall", "details": "Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.4" }, { "introduced": "1.6.0-0" }, { "fixed": "1.6.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "symbols": [ "LoadLibrary" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/21428" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/6a0bb87bd0bf0fdf8ddbd35f77a75ebd412f61b0" }, { "type": "REPORT", "url": "https://go.dev/issue/14959" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0163", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0172", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-15T23:56:14Z", "aliases": [ "CVE-2017-1000098" ], "summary": "Denial of service when parsing large forms in mime/multipart", "details": "When parsing large multipart/form-data, an attacker can cause a HTTP server to open a large number of file descriptors. This may be used as a denial-of-service vector.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.4" }, { "introduced": "1.7.0-0" }, { "fixed": "1.7.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "mime/multipart", "symbols": [ "Reader.readForm" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/30410" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184" }, { "type": "REPORT", "url": "https://go.dev/issue/16296" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" } ], "credits": [ { "name": "Simon Rawet" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0172", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0178", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-07T20:35:00Z", "aliases": [ "CVE-2017-15042" ], "summary": "Cleartext transmission of credentials in net/smtp", "details": "SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.1.0-0" }, { "fixed": "1.8.4" }, { "introduced": "1.9.0-0" }, { "fixed": "1.9.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/smtp", "symbols": [ "plainAuth.Start" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/68170" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790" }, { "type": "REPORT", "url": "https://go.dev/issue/22134" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ" } ], "credits": [ { "name": "Stevie Johnstone" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0178", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0223", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:46:03Z", "aliases": [ "CVE-2020-14039" ], "summary": "Certificate verification error on Windows in crypto/x509", "details": "On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.13.13" }, { "introduced": "1.14.0-0" }, { "fixed": "1.14.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "goos": [ "windows" ], "symbols": [ "Certificate.systemVerify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/242597" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5" }, { "type": "REPORT", "url": "https://go.dev/issue/39360" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" } ], "credits": [ { "name": "Niall Newman" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0223", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0224", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:36:04Z", "aliases": [ "CVE-2020-15586" ], "summary": "Data race and crash in net/http", "details": "HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.13.13" }, { "introduced": "1.14.0-0" }, { "fixed": "1.14.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "expectContinueReader.Read" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/242598" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/fa98f46741f818913a8c11b877520a548715131f" }, { "type": "REPORT", "url": "https://go.dev/issue/34902" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w" } ], "credits": [ { "name": "Mikael Manukyan" }, { "name": "Andrew Kutz" }, { "name": "Dave McClure" }, { "name": "Tim Downey" }, { "name": "Clay Kauzlaric" }, { "name": "Gabe Rosenhouse" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0224", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0226", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-13T03:44:58Z", "aliases": [ "CVE-2020-24553" ], "summary": "Cross-site scripting in net/http/cgi and net/http/fcgi", "details": "When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.\n\nThe Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.\n\nAlthough this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.14.8" }, { "introduced": "1.15.0-0" }, { "fixed": "1.15.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/cgi", "symbols": [ "response.Write", "response.WriteHeader", "response.writeCGIHeader" ] }, { "path": "net/http/fcgi", "symbols": [ "response.Write", "response.WriteHeader", "response.writeCGIHeader" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/252179" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs" }, { "type": "REPORT", "url": "https://go.dev/issue/40928" } ], "credits": [ { "name": "RedTeam Pentesting GmbH" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0226", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0234", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:34:24Z", "aliases": [ "CVE-2021-27918" ], "summary": "Infinite loop when decoding inputs in encoding/xml", "details": "The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.9" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/xml", "symbols": [ "Decoder.Token" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/300391" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/d0b79e3513a29628f3599dc8860666b6eed75372" }, { "type": "REPORT", "url": "https://go.dev/issue/44913" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw" } ], "credits": [ { "name": "Sam Whited" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0234", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0235", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:34:14Z", "aliases": [ "CVE-2021-3114" ], "summary": "Incorrect operations on the P-224 curve in crypto/elliptic", "details": "The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.14.14" }, { "introduced": "1.15.0-0" }, { "fixed": "1.15.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/elliptic", "symbols": [ "p224Contract" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/284779" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/d95ca9138026cbe40e0857d76a81a16d03230871" }, { "type": "REPORT", "url": "https://go.dev/issue/43786" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w" } ], "credits": [ { "name": "The elliptic-curve-differential-fuzzer project running on OSS-Fuzz" }, { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0235", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0239", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:33:35Z", "aliases": [ "CVE-2021-33195" ], "summary": "Improper sanitization when resolving values from DNS in net", "details": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.13" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net", "symbols": [ "Resolver.LookupAddr", "Resolver.LookupCNAME", "Resolver.LookupMX", "Resolver.LookupNS", "Resolver.LookupSRV" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/320949" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" }, { "type": "REPORT", "url": "https://go.dev/issue/46241" } ], "credits": [ { "name": "Philipp Jeitner" }, { "name": "Haya Shulman from Fraunhofer SIT" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0239", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0240", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:33:25Z", "aliases": [ "CVE-2021-33196" ], "summary": "Panic when reading certain archives in archive/zip", "details": "NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.13" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "Reader.init" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/318909" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" }, { "type": "REPORT", "url": "https://go.dev/issue/46242" } ], "credits": [ { "name": "OSS-Fuzz (discovery)" }, { "name": "Emmanuel Odeke (reporter)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0240", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0241", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:33:16Z", "aliases": [ "CVE-2021-33197" ], "summary": "Attacker can drop certain headers in net/http/httputil", "details": "ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.13" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/httputil", "symbols": [ "ReverseProxy.ServeHTTP" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/321929" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" }, { "type": "REPORT", "url": "https://go.dev/issue/46313" } ], "credits": [ { "name": "Mattias Grenfeldt (https://grenfeldt.dev)" }, { "name": "Asta Olofsson" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0241", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0242", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:33:07Z", "aliases": [ "CVE-2021-33198" ], "summary": "Panic on inputs with large exponents in math/big", "details": "Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.13" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "math/big", "symbols": [ "Rat.SetString" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/316149" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/6c591f79b0b5327549bd4e94970f7a279efb4ab0" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" }, { "type": "REPORT", "url": "https://go.dev/issue/45910" } ], "credits": [ { "name": "The OSS-Fuzz project (discovery)" }, { "name": "Emmanuel Odeke (reporter)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0242", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0243", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:32:57Z", "aliases": [ "CVE-2021-34558" ], "summary": "Panic on certain certificates in crypto/tls", "details": "crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.14" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "rsaKeyAgreement.generateClientKeyExchange" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/334031" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/a98589711da5e9d935e8d690cfca92892e86d557" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ" }, { "type": "REPORT", "url": "https://go.dev/issue/47143" } ], "credits": [ { "name": "Imre Rad" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0243", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0245", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:32:24Z", "aliases": [ "CVE-2021-36221" ], "summary": "Panic in ReverseProxy in net/http/httputil", "details": "ReverseProxy can panic after encountering a problem copying a proxied response body.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.15" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/httputil", "symbols": [ "ReverseProxy.ServeHTTP" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/333191" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/uHACNfXAZqk" }, { "type": "REPORT", "url": "https://go.dev/issue/46866" } ], "credits": [ { "name": "Andrew Crump" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0245", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0263", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-13T03:45:03Z", "aliases": [ "CVE-2021-41771" ], "summary": "Panic on invalid symbol tables in debug/macho", "details": "Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.10" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "debug/macho", "symbols": [ "NewFile" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/367075" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/61536ec03063b4951163bd09609c86d82631fa27" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" }, { "type": "REPORT", "url": "https://go.dev/issue/48990" } ], "credits": [ { "name": "Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0263", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0264", "modified": "2024-05-20T16:03:47Z", "published": "2022-01-13T20:54:43Z", "aliases": [ "CVE-2021-41772" ], "summary": "Panic when opening certain archives in archive/zip", "details": "Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or \"..\" path elements.\n\nOpen could also panic if passed the empty string directly as an argument.\n\nNow, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.\n\nNote that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.\n\nFinally, the actual panic site was made robust as a defense-in-depth measure.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.10" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "Reader.Open", "split" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/349770" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" }, { "type": "REPORT", "url": "https://go.dev/issue/48085" } ], "credits": [ { "name": "Colin Arnott (SiteHost)" }, { "name": "Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0264", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0317", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-23T22:15:42Z", "aliases": [ "CVE-2022-23772" ], "summary": "Uncontrolled memory consumption in math/big", "details": "Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.14" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "math/big", "symbols": [ "Rat.SetString" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/379537" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/ad345c265916bbf6c646865e4642eafce6d39e78" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" }, { "type": "REPORT", "url": "https://go.dev/issue/50699" } ], "credits": [ { "name": "Emmanuel Odeke" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0317", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0319", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-23T22:15:21Z", "aliases": [ "CVE-2022-23806" ], "summary": "Incorrect computation for some invalid field elements in crypto/elliptic", "details": "Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.14" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/elliptic", "symbols": [ "CurveParams.IsOnCurve", "p384PointFromAffine", "p521PointFromAffine" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/382455" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" }, { "type": "REPORT", "url": "https://go.dev/issue/50974" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0319", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0347", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-23T22:15:47Z", "aliases": [ "CVE-2022-24921" ], "summary": "Stack exhaustion when compiling deeply nested expressions in regexp", "details": "On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.15" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.8" } ] } ], "ecosystem_specific": { "imports": [ { "path": "regexp", "symbols": [ "regexp.Compile" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/384616" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a" }, { "type": "REPORT", "url": "https://go.dev/issue/51112" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk" } ], "credits": [ { "name": "Juho Nurminen" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0347", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0166", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-24T22:06:33Z", "aliases": [ "CVE-2016-3959" ], "summary": "Denial of service due to unchecked parameters in crypto/dsa", "details": "The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.4" }, { "introduced": "1.6.0-0" }, { "fixed": "1.6.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/dsa", "symbols": [ "Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/21533" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/eb876dd83cb8413335d64e50aae5d38337d1ebb4" }, { "type": "REPORT", "url": "https://go.dev/issue/15184" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/9eqIHqaWvck" } ], "credits": [ { "name": "David Wong" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0166", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0171", "modified": "2024-06-03T20:51:31Z", "published": "2022-05-24T20:17:59Z", "aliases": [ "CVE-2017-1000097" ], "summary": "Mishandled trust preferences for root certificates on Darwin in crypto/x509", "details": "On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.4" }, { "introduced": "1.7.0-0" }, { "fixed": "1.7.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "goos": [ "darwin" ], "symbols": [ "FetchPEMRoots", "execSecurityRoots" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a" }, { "type": "REPORT", "url": "https://go.dev/issue/18141" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ" } ], "credits": [ { "name": "Xy Ziemba" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0171", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0187", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:11:15Z", "aliases": [ "CVE-2017-8932" ], "summary": "Incorrect computation for P-256 curves in crypto/elliptic", "details": "The ScalarMult implementation of curve P-256 for amd64 architectures generates incorrect results for certain specific input points. An adaptive attack can progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.6.0-0" }, { "fixed": "1.7.6" }, { "introduced": "1.8.0-0" }, { "fixed": "1.8.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/elliptic", "goarch": [ "amd64" ], "symbols": [ "p256SubInternal" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/41070" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c" }, { "type": "REPORT", "url": "https://go.dev/issue/20040" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ" } ], "credits": [ { "name": "Vlad Krasnov" }, { "name": "Filippo Valsorda at Cloudflare" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0187", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0191", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:03:26Z", "aliases": [ "CVE-2018-16875" ], "summary": "Denial of service in chain verification in crypto/x509", "details": "The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.10.6" }, { "introduced": "1.11.0-0" }, { "fixed": "1.11.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "CertPool.findVerifiedParents", "Certificate.buildChains" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/154105" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f" }, { "type": "REPORT", "url": "https://go.dev/issue/29233" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0" } ], "credits": [ { "name": "Netflix" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0191", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0211", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:15:30Z", "aliases": [ "CVE-2019-14809" ], "summary": "Incorrect parsing validation in net/url", "details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.11.13" }, { "introduced": "1.12.0-0" }, { "fixed": "1.12.8" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/url", "symbols": [ "URL.Hostname", "URL.Port", "parseHost" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/189258" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6" }, { "type": "REPORT", "url": "https://go.dev/issue/29098" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg" } ], "credits": [ { "name": "Julian Hector" }, { "name": "Nikolai Krein from Cure53" }, { "name": "Adi Cohen (adico.me)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0211", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0212", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-23T22:46:20Z", "aliases": [ "CVE-2019-16276" ], "summary": "Request smuggling due to accepting invalid headers in net/http via net/textproto", "details": "net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.\n\nIf a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.10" }, { "introduced": "1.13.0-0" }, { "fixed": "1.13.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/textproto", "symbols": [ "Reader.ReadMimeHeader" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/197503" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/41b1f88efab9d263408448bf139659119002ea50" }, { "type": "REPORT", "url": "https://go.dev/issue/34540" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/cszieYyuL9Q/m/g4Z7pKaqAgAJ" } ], "credits": [ { "name": "Andrew Stucki (99designs.com)" }, { "name": "Adam Scarr (99designs.com)" }, { "name": "Jan Masarik (masarik.sh)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0212", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0213", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-24T20:14:11Z", "aliases": [ "CVE-2019-17596" ], "summary": "Panic on invalid DSA public keys in crypto/dsa", "details": "Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.\n\nMoreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.11" }, { "introduced": "1.13.0-0" }, { "fixed": "1.13.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/dsa", "symbols": [ "Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/205441" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/552987fdbf4c2bc9641016fd323c3ae5d3a0d9a3" }, { "type": "REPORT", "url": "https://go.dev/issue/34960" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/lVEm7llp0w0/m/VbafyRkgCgAJ" } ], "credits": [ { "name": "Daniel M" }, { "name": "ragona" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0213", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0217", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-24T15:21:01Z", "aliases": [ "CVE-2019-6486" ], "summary": "Denial of service affecting P-521 and P-384 curves in crypto/elliptic", "details": "A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.\n\nThese inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.10.8" }, { "introduced": "1.11.0-0" }, { "fixed": "1.11.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/elliptic", "symbols": [ "curve.doubleJacobian" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/159218" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20" }, { "type": "REPORT", "url": "https://go.dev/issue/29903" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/mVeX35iXuSw" } ], "credits": [ { "name": "Wycheproof Project" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0217", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0220", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-25T18:01:46Z", "aliases": [ "CVE-2019-9634" ], "summary": "DLL injection on Windows in runtime and syscall", "details": "Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.11.10" }, { "introduced": "1.12.0-0" }, { "fixed": "1.12.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "runtime", "goos": [ "windows" ] }, { "path": "syscall", "goos": [ "windows" ], "symbols": [ "LoadDLL" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/165798" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c" }, { "type": "REPORT", "url": "https://go.dev/issue/28978" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ" } ], "credits": [ { "name": "Samuel Cochran" }, { "name": "Jason Donenfeld" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0220", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0229", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-06T18:23:48Z", "aliases": [ "CVE-2020-7919", "GHSA-cjjc-xp8v-855w" ], "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte", "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.16" }, { "introduced": "1.13.0-0" }, { "fixed": "1.13.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509" } ] } }, { "package": { "name": "golang.org/x/crypto", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20200124225646-8b5121be2f68" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/crypto/cryptobyte" } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/216680" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" }, { "type": "FIX", "url": "https://go.dev/cl/216677" }, { "type": "REPORT", "url": "https://go.dev/issue/36837" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" } ], "credits": [ { "name": "Project Wycheproof" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0229", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0236", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:04:18Z", "aliases": [ "CVE-2021-31525", "GHSA-h86h-8ppg-mxmh" ], "summary": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts", "details": "A malicious HTTP server or client can cause the net/http client or server to panic.\n\nReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.\n\nThis also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.12" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2clientStream.writeRequest", "http2isConnectionCloseRequest", "isProtocolSwitchHeader", "shouldClose" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20210428140749-89ef3d95e781" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http/httpguts", "symbols": [ "HeaderValuesContainsToken", "headerValueContainsToken" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/313069" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9" }, { "type": "REPORT", "url": "https://go.dev/issue/45710" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0236", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0273", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-18T18:23:31Z", "aliases": [ "CVE-2021-39293" ], "summary": "Panic due to crafted inputs in archive/zip", "details": "The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.8" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "NewReader", "OpenReader" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/343434" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b" }, { "type": "REPORT", "url": "https://go.dev/issue/47801" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw" } ], "credits": [ { "name": "OSS-Fuzz Project" }, { "name": "Emmanuel Odeke" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0273", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0288", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:08:33Z", "aliases": [ "CVE-2021-44716", "GHSA-vc3p-29h2-gpcp" ], "summary": "Unbounded memory growth in net/http and golang.org/x/net/http2", "details": "An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.12" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20211209124913-491a49abca63" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/369794" }, { "type": "REPORT", "url": "https://go.dev/issue/50058" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" } ], "credits": [ { "name": "murakmii" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0288", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0289", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-18T18:23:23Z", "aliases": [ "CVE-2021-44717" ], "summary": "Misdirected I/O in syscall", "details": "When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.\n\nFor users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.12" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "symbols": [ "ForkExec" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/370576" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2" }, { "type": "REPORT", "url": "https://go.dev/issue/50057" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" }, { "type": "FIX", "url": "https://go.dev/cl/370577" }, { "type": "FIX", "url": "https://go.dev/cl/370795" } ], "credits": [ { "name": "Tomasz Maczukin" }, { "name": "Kamil Trzciński of GitLab" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0289", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0433", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-20T21:17:25Z", "aliases": [ "CVE-2022-24675" ], "summary": "Stack overflow from a large amount of PEM data in encoding/pem", "details": "encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.9" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/pem", "symbols": [ "Decode" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/399820" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/45c3387d777caf28f4b992ad9a6216e3085bb8fe" }, { "type": "REPORT", "url": "https://go.dev/issue/51853" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0433", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0434", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-23T21:59:00Z", "aliases": [ "CVE-2022-27536" ], "summary": "Panic during certificate parsing on Darwin in crypto/x509", "details": "Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.\n\nThese chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.18.0-0" }, { "fixed": "1.18.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "goos": [ "darwin" ], "symbols": [ "Certificate.Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/393655" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/0fca8a8f25cf4636fd980e72ba0bded4230922de" }, { "type": "REPORT", "url": "https://go.dev/issue/51759" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" } ], "credits": [ { "name": "Tailscale" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0434", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0435", "modified": "2024-05-20T16:03:47Z", "published": "2022-05-20T21:17:46Z", "aliases": [ "CVE-2022-28327" ], "summary": "Panic due to large inputs affecting P-256 curves in crypto/elliptic", "details": "A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.9" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/elliptic", "symbols": [ "CurveParams.ScalarBaseMult", "CurveParams.ScalarMult", "p256Curve.CombinedMult", "p256Curve.ScalarBaseMult", "p256Curve.ScalarMult", "p256GetScalar" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/397135" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331" }, { "type": "REPORT", "url": "https://go.dev/issue/52075" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8" } ], "credits": [ { "name": "Project Wycheproof" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0435", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0477", "modified": "2024-05-20T16:03:47Z", "published": "2022-06-09T01:43:37Z", "aliases": [ "CVE-2022-30634" ], "summary": "Indefinite hang with large buffers on Windows in crypto/rand", "details": "On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 \u003c\u003c 32 - 1 bytes.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.11" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/rand", "goos": [ "windows" ], "symbols": [ "Read" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/402257" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863" }, { "type": "REPORT", "url": "https://go.dev/issue/52561" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" } ], "credits": [ { "name": "Davis Goodin" }, { "name": "Quim Muntal of Microsoft" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0477", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0493", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:30:12Z", "aliases": [ "CVE-2022-29526", "GHSA-p782-xgp4-8hr8" ], "summary": "Incorrect privilege reporting in syscall and golang.org/x/sys/unix", "details": "When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.10" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "symbols": [ "Faccessat" ] } ] } }, { "package": { "name": "golang.org/x/sys", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220412211240-33da011f77ad" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/sys/unix", "symbols": [ "Faccessat" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/399539" }, { "type": "REPORT", "url": "https://go.dev/issue/52313" }, { "type": "FIX", "url": "https://go.dev/cl/400074" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" } ], "credits": [ { "name": "Joël Gähwiler (@256dpi)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0493", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0515", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T17:01:45Z", "aliases": [ "CVE-2022-1962" ], "summary": "Stack exhaustion due to deeply nested types in go/parser", "details": "Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "go/parser", "symbols": [ "ParseExprFrom", "ParseFile", "parser.parseBinaryExpr", "parser.parseIfStmt", "parser.parsePrimaryExpr", "parser.parseStmt", "parser.parseUnaryExpr", "parser.tryIdentOrType", "resolver.closeScope", "resolver.openScope" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417063" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879" }, { "type": "REPORT", "url": "https://go.dev/issue/53616" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0515", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0520", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-28T17:23:05Z", "aliases": [ "CVE-2022-32148" ], "summary": "Exposure of client IP addresses in net/http", "details": "Client IP adresses may be unintentionally exposed via X-Forwarded-For headers.\n\nWhen httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation.\n\nIn the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Header.Clone" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/412857" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a" }, { "type": "REPORT", "url": "https://go.dev/issue/53423" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "credits": [ { "name": "Christian Mehlmauer" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0520", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0521", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T17:02:04Z", "aliases": [ "CVE-2022-28131" ], "summary": "Stack exhaustion from deeply nested XML documents in encoding/xml", "details": "Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/xml", "symbols": [ "Decoder.Skip" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417062" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3" }, { "type": "REPORT", "url": "https://go.dev/issue/53614" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "credits": [ { "name": "Go Security Team" }, { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0521", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0522", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T17:02:29Z", "aliases": [ "CVE-2022-30632" ], "summary": "Stack exhaustion on crafted paths in path/filepath", "details": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "symbols": [ "Glob" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417066" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef" }, { "type": "REPORT", "url": "https://go.dev/issue/53416" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0522", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0523", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T20:52:06Z", "aliases": [ "CVE-2022-30633" ], "summary": "Stack exhaustion when unmarshaling certain documents in encoding/xml", "details": "Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/xml", "symbols": [ "Decoder.DecodeElement", "Decoder.unmarshal", "Decoder.unmarshalPath" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417061" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08" }, { "type": "REPORT", "url": "https://go.dev/issue/53611" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0523", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0524", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T20:52:11Z", "aliases": [ "CVE-2022-30631" ], "summary": "Stack exhaustion when reading certain archives in compress/gzip", "details": "Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "compress/gzip", "symbols": [ "Reader.Read" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417067" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e" }, { "type": "REPORT", "url": "https://go.dev/issue/53168" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0524", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0525", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-25T17:34:18Z", "aliases": [ "CVE-2022-1705" ], "summary": "Improper sanitization of Transfer-Encoding headers in net/http", "details": "The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a \"chunked\" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "transferReader.parseTransferEncoding" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/409874" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f" }, { "type": "REPORT", "url": "https://go.dev/issue/53188" }, { "type": "FIX", "url": "https://go.dev/cl/410714" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "credits": [ { "name": "Zeyu Zhang (https://www.zeyu2001.com/)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0525", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0526", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T20:52:17Z", "aliases": [ "CVE-2022-30635" ], "summary": "Stack exhaustion when decoding certain messages in encoding/gob", "details": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/gob", "symbols": [ "Decoder.compileDec", "Decoder.compileIgnoreSingle", "Decoder.decIgnoreOpFor" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417064" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7" }, { "type": "REPORT", "url": "https://go.dev/issue/53615" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0526", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0527", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-20T20:52:22Z", "aliases": [ "CVE-2022-30630" ], "summary": "Stack exhaustion in Glob on certain paths in io/fs", "details": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.12" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "io/fs", "symbols": [ "Glob" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417065" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59" }, { "type": "REPORT", "url": "https://go.dev/issue/53415" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0527", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0531", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-28T17:24:57Z", "aliases": [ "CVE-2022-30629" ], "summary": "Session tickets lack random ticket_age_add in crypto/tls", "details": "An attacker can correlate a resumed TLS session with a previous connection.\n\nSession tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.11" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "serverHandshakeStateTLS13.sendSessionTickets" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/405994" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5" }, { "type": "REPORT", "url": "https://go.dev/issue/52814" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" } ], "credits": [ { "name": "Github user @nervuri" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0531", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0532", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-26T21:41:20Z", "aliases": [ "CVE-2022-30580" ], "summary": "Empty Cmd.Path can trigger unintended binary in os/exec on Windows", "details": "On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either \"..com\" or \"..exe\".", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.11" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "os/exec", "goos": [ "windows" ], "symbols": [ "Cmd.Start" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/403759" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e" }, { "type": "REPORT", "url": "https://go.dev/issue/52574" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" } ], "credits": [ { "name": "Chris Darroch (chrisd8088@github.com)" }, { "name": "brian m. carlson (bk2204@github.com)" }, { "name": "Mikhail Shcherbakov (https://twitter.com/yu5k3)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0532", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0533", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-28T17:25:07Z", "aliases": [ "CVE-2022-29804" ], "summary": "Path traversal via Clean on Windows in path/filepath", "details": "On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack.\n\nFor example, Clean(\".\\c:\") returns \"c:\".", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.11" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Clean" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/401595" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290" }, { "type": "REPORT", "url": "https://go.dev/issue/52476" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ" } ], "credits": [ { "name": "Unrud" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0533", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0535", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-01T22:21:17Z", "aliases": [ "CVE-2020-0601" ], "summary": "Certificate validation bypass on Windows in crypto/x509", "details": "A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use.\n\nA workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system.\n\nSee https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.16" }, { "introduced": "1.13.0-0" }, { "fixed": "1.13.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "goos": [ "windows" ], "symbols": [ "Certificate.systemVerify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/215905" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2" }, { "type": "REPORT", "url": "https://go.dev/issue/36834" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0535", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0536", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-01T22:20:53Z", "aliases": [ "CVE-2019-9512", "CVE-2019-9514", "GHSA-39qc-96h7-956f", "GHSA-hgr8-6h9x-f7q9" ], "summary": "Reset flood in net/http and golang.org/x/net/http", "details": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.11.13" }, { "introduced": "1.12.0-0" }, { "fixed": "1.12.8" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2serverConn.scheduleFrameWrite", "http2serverConn.serve", "http2serverConn.writeFrame" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190813141303-74dc4d7220e7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.scheduleFrameWrite", "serverConn.serve", "serverConn.writeFrame" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/190137" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5" }, { "type": "REPORT", "url": "https://go.dev/issue/33606" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ" } ], "credits": [ { "name": "Jonathan Looney of Netflix" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0536", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0537", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-01T22:21:06Z", "aliases": [ "CVE-2022-32189" ], "summary": "Panic when decoding Float and Rat types in math/big", "details": "Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.17.13" }, { "introduced": "1.18.0-0" }, { "fixed": "1.18.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "math/big", "symbols": [ "Float.GobDecode", "Rat.GobDecode" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/417774" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66" }, { "type": "REPORT", "url": "https://go.dev/issue/53871" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/YqYYG87xB10" } ], "credits": [ { "name": "@catenacyber" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0537", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0761", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-09T17:05:15Z", "aliases": [ "CVE-2016-5386" ], "summary": "Improper input validation in net/http and net/http/cgi", "details": "An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests.\n\nThis environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.\n\nRead more about \"httpoxy\" here: https://httpoxy.org.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Handler.ServeHTTP" ] }, { "path": "net/http/cgi", "symbols": [ "ProxyFromEnvironment" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/25010" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223" }, { "type": "REPORT", "url": "https://go.dev/issue/16405" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ" } ], "credits": [ { "name": "Dominic Scheirlinck" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0761", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0969", "modified": "2024-05-20T16:03:47Z", "published": "2022-09-12T20:23:06Z", "aliases": [ "CVE-2022-27664", "GHSA-69cg-p879-7622" ], "summary": "Denial of service in net/http and golang.org/x/net/http2", "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.6" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.goAway" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220906165146-f3363e06e74c" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.goAway" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" }, { "type": "REPORT", "url": "https://go.dev/issue/54658" }, { "type": "FIX", "url": "https://go.dev/cl/428735" } ], "credits": [ { "name": "Bahruz Jabiyev" }, { "name": "Tommaso Innocenti" }, { "name": "Anthony Gavazzi" }, { "name": "Steven Sprecher" }, { "name": "Kaan Onarlioglu" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0969", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0988", "modified": "2024-05-20T16:03:47Z", "published": "2022-09-12T20:23:15Z", "aliases": [ "CVE-2022-32190" ], "summary": "Failure to strip relative path components in net/url", "details": "JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath(\"https://go.dev\", \"../go\") returns the URL \"https://go.dev/../go\", despite the JoinPath documentation stating that ../ path elements are removed from the result.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.19.0-0" }, { "fixed": "1.19.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/url", "symbols": [ "JoinPath", "URL.JoinPath" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" }, { "type": "REPORT", "url": "https://go.dev/issue/54385" }, { "type": "FIX", "url": "https://go.dev/cl/423514" } ], "credits": [ { "name": "@q0jt" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0988", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1037", "modified": "2024-05-20T16:03:47Z", "published": "2022-10-06T16:26:05Z", "aliases": [ "CVE-2022-2879" ], "summary": "Unbounded memory consumption when reading headers in archive/tar", "details": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.7" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/tar", "symbols": [ "Reader.Next", "Reader.next", "Writer.WriteHeader", "Writer.writePAXHeader", "parsePAX" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/54853" }, { "type": "FIX", "url": "https://go.dev/cl/439355" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" } ], "credits": [ { "name": "Adam Korczynski (ADA Logics)" }, { "name": "OSS-Fuzz" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1037", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1038", "modified": "2024-05-20T16:03:47Z", "published": "2022-10-06T16:42:43Z", "aliases": [ "CVE-2022-2880" ], "summary": "Incorrect sanitization of forwarded query parameters in net/http/httputil", "details": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value.\n\nAfter fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.7" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/httputil", "symbols": [ "ReverseProxy.ServeHTTP" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/54663" }, { "type": "FIX", "url": "https://go.dev/cl/432976" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" } ], "credits": [ { "name": "Gal Goldstein (Security Researcher, Oxeye)" }, { "name": "Daniel Abeles (Head of Research, Oxeye)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1038", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1039", "modified": "2024-05-20T16:03:47Z", "published": "2022-10-06T16:42:07Z", "aliases": [ "CVE-2022-41715" ], "summary": "Memory exhaustion when compiling regular expressions in regexp/syntax", "details": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service.\n\nThe parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.\n\nAfter fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.7" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "regexp/syntax", "symbols": [ "Parse", "parse", "parser.factor", "parser.push", "parser.repeat" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/55949" }, { "type": "FIX", "url": "https://go.dev/cl/439356" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU" } ], "credits": [ { "name": "Adam Korczynski (ADA Logics)" }, { "name": "OSS-Fuzz" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1039", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1095", "modified": "2024-05-20T16:03:47Z", "published": "2022-11-01T23:55:57Z", "aliases": [ "CVE-2022-41716" ], "summary": "Unsanitized NUL in environment variables on Windows in syscall and os/exec", "details": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.\n\nIn syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.8" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "goos": [ "windows" ], "symbols": [ "StartProcess" ] }, { "path": "os/exec", "goos": [ "windows" ], "symbols": [ "Cmd.CombinedOutput", "Cmd.Environ", "Cmd.Output", "Cmd.Run", "Cmd.Start", "Cmd.environ", "dedupEnv", "dedupEnvCase" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56284" }, { "type": "FIX", "url": "https://go.dev/cl/446916" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ" } ], "credits": [ { "name": "RyotaK (https://twitter.com/ryotkak)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1095", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1143", "modified": "2024-05-20T16:03:47Z", "published": "2022-12-07T16:08:45Z", "aliases": [ "CVE-2022-41720" ], "summary": "Restricted file access on Windows in os and net/http", "details": "On Windows, restricted files can be accessed via os.DirFS and http.Dir.\n\nThe os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.\n\nIn addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.\n\nWith fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "os", "goos": [ "windows" ], "symbols": [ "DirFS", "dirFS.Open", "dirFS.Stat" ] }, { "path": "net/http", "goos": [ "windows" ], "symbols": [ "Dir.Open", "ServeFile", "fileHandler.ServeHTTP", "fileTransport.RoundTrip" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56694" }, { "type": "FIX", "url": "https://go.dev/cl/455716" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1143", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1144", "modified": "2024-05-20T16:03:47Z", "published": "2022-12-08T19:01:21Z", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "summary": "Excessive memory growth in net/http and golang.org/x/net/http2", "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ], "credits": [ { "name": "Josselin Costanzi" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1144", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1568", "modified": "2024-05-20T16:03:47Z", "published": "2023-02-16T19:49:19Z", "aliases": [ "CVE-2022-41722" ], "summary": "Path traversal on Windows in path/filepath", "details": "A path traversal vulnerability exists in filepath.Clean on Windows.\n\nOn Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.\n\nAfter fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Abs", "Clean", "Dir", "EvalSymlinks", "Glob", "IsLocal", "Join", "Rel", "Walk", "WalkDir" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57274" }, { "type": "FIX", "url": "https://go.dev/cl/468123" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "credits": [ { "name": "RyotaK (https://ryotak.net)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1568", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1569", "modified": "2024-05-20T16:03:47Z", "published": "2023-02-21T20:44:30Z", "aliases": [ "CVE-2022-41725" ], "summary": "Excessive resource consumption in mime/multipart", "details": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart.\n\nMultipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.\n\nReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files.\n\nWith fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous.\n\nIn addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct.\n\nUsers should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "mime/multipart", "symbols": [ "Reader.ReadForm" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58006" }, { "type": "FIX", "url": "https://go.dev/cl/468124" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "credits": [ { "name": "Arpad Ryszka" }, { "name": "Jakob Ackermann (@das7pad)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1569", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1570", "modified": "2024-05-20T16:03:47Z", "published": "2023-02-16T22:24:51Z", "aliases": [ "CVE-2022-41724" ], "summary": "Panic on large handshake records in crypto/tls", "details": "Large handshake records may cause panics in crypto/tls.\n\nBoth clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.\n\nThis affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth \u003e= RequestClientCert).", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Conn.clientHandshake", "Conn.handleKeyUpdate", "Conn.handlePostHandshakeMessage", "Conn.handleRenegotiation", "Conn.loadSession", "Conn.readClientHello", "Conn.readHandshake", "Conn.writeRecord", "ConnectionState.ExportKeyingMaterial", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext", "certificateMsg.marshal", "certificateMsgTLS13.marshal", "certificateRequestMsg.marshal", "certificateRequestMsgTLS13.marshal", "certificateStatusMsg.marshal", "certificateVerifyMsg.marshal", "cipherSuiteTLS13.expandLabel", "clientHandshakeState.doFullHandshake", "clientHandshakeState.handshake", "clientHandshakeState.readFinished", "clientHandshakeState.readSessionTicket", "clientHandshakeState.sendFinished", "clientHandshakeStateTLS13.handshake", "clientHandshakeStateTLS13.processHelloRetryRequest", "clientHandshakeStateTLS13.readServerCertificate", "clientHandshakeStateTLS13.readServerFinished", "clientHandshakeStateTLS13.readServerParameters", "clientHandshakeStateTLS13.sendClientCertificate", "clientHandshakeStateTLS13.sendClientFinished", "clientHandshakeStateTLS13.sendDummyChangeCipherSpec", "clientHelloMsg.marshal", "clientHelloMsg.marshalWithoutBinders", "clientHelloMsg.updateBinders", "clientKeyExchangeMsg.marshal", "encryptedExtensionsMsg.marshal", "endOfEarlyDataMsg.marshal", "finishedMsg.marshal", "handshakeMessage.marshal", "helloRequestMsg.marshal", "keyUpdateMsg.marshal", "newSessionTicketMsg.marshal", "newSessionTicketMsgTLS13.marshal", "serverHandshakeState.doFullHandshake", "serverHandshakeState.doResumeHandshake", "serverHandshakeState.readFinished", "serverHandshakeState.sendFinished", "serverHandshakeState.sendSessionTicket", "serverHandshakeStateTLS13.checkForResumption", "serverHandshakeStateTLS13.doHelloRetryRequest", "serverHandshakeStateTLS13.readClientCertificate", "serverHandshakeStateTLS13.readClientFinished", "serverHandshakeStateTLS13.sendDummyChangeCipherSpec", "serverHandshakeStateTLS13.sendServerCertificate", "serverHandshakeStateTLS13.sendServerFinished", "serverHandshakeStateTLS13.sendServerParameters", "serverHandshakeStateTLS13.sendSessionTickets", "serverHelloDoneMsg.marshal", "serverHelloMsg.marshal", "serverKeyExchangeMsg.marshal", "sessionState.marshal", "sessionStateTLS13.marshal" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58001" }, { "type": "FIX", "url": "https://go.dev/cl/468125" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "credits": [ { "name": "Marten Seemann" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1570", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1571", "modified": "2024-05-20T16:03:47Z", "published": "2023-02-16T22:31:36Z", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "summary": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "ListenAndServe", "ListenAndServeTLS", "Post", "PostForm", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "Transport.RoundTrip" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteScheduler.CloseStream", "priorityWriteScheduler.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "writeData.String" ] }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1571", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1621", "modified": "2024-05-20T16:03:47Z", "published": "2023-03-08T19:30:53Z", "aliases": [ "CVE-2023-24532" ], "summary": "Incorrect calculation on P256 curves in crypto/internal/nistec", "details": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).\n\nThis does not impact usages of crypto/ecdsa or crypto/ecdh.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.7" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/internal/nistec", "symbols": [ "P256OrdInverse", "P256Point.ScalarBaseMult", "P256Point.ScalarMult" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58647" }, { "type": "FIX", "url": "https://go.dev/cl/471255" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY" } ], "credits": [ { "name": "Guido Vranken, via the Ethereum Foundation bug bounty program" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1621", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1702", "modified": "2024-05-20T16:03:47Z", "published": "2023-04-05T21:05:07Z", "aliases": [ "CVE-2023-24537" ], "summary": "Infinite loop in parsing in go/scanner", "details": "Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.8" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "go/scanner", "symbols": [ "Scanner.Scan", "Scanner.updateLineInfo" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59180" }, { "type": "FIX", "url": "https://go.dev/cl/482078" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1702", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1703", "modified": "2024-05-20T16:03:47Z", "published": "2023-04-05T21:05:27Z", "aliases": [ "CVE-2023-24538" ], "summary": "Backticks not treated as string delimiters in html/template", "details": "Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.\n\nBackticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template.\n\nAs ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.\n\nWith fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21.\n\nUsers who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.8" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "tJS", "tJSDelimited" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59234" }, { "type": "FIX", "url": "https://go.dev/cl/482079" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" } ], "credits": [ { "name": "Sohom Datta, Manipal Institute of Technology" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1703", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1704", "modified": "2024-05-20T16:03:47Z", "published": "2023-04-05T21:04:28Z", "aliases": [ "CVE-2023-24534" ], "summary": "Excessive memory allocation in net/http and net/textproto", "details": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service.\n\nCertain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.\n\nWith fix, header parsing now correctly allocates only the memory required to hold parsed headers.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.8" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/textproto", "symbols": [ "Reader.ReadMIMEHeader", "Reader.upcomingHeaderNewlines", "readMIMEHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58975" }, { "type": "FIX", "url": "https://go.dev/cl/481994" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" } ], "credits": [ { "name": "Jakob Ackermann (@das7pad)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1704", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1705", "modified": "2024-05-20T16:03:47Z", "published": "2023-04-05T21:04:39Z", "aliases": [ "CVE-2023-24536" ], "summary": "Excessive resource consumption in net/http, net/textproto and mime/multipart", "details": "Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.\n\nThis stems from several causes:\n\n1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended.\n2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.\n3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.\n\nThe combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.\n\nWith fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.\n\nIn addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:\n\n1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=.\n2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.8" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "mime/multipart", "symbols": [ "Part.populateHeaders", "Reader.NextPart", "Reader.NextRawPart", "Reader.ReadForm", "Reader.nextPart", "Reader.readForm", "mimeHeaderSize", "newPart", "readMIMEHeader" ] }, { "path": "net/textproto", "symbols": [ "Reader.ReadMIMEHeader", "readMIMEHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59153" }, { "type": "FIX", "url": "https://go.dev/cl/482076" }, { "type": "FIX", "url": "https://go.dev/cl/482075" }, { "type": "FIX", "url": "https://go.dev/cl/482077" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" } ], "credits": [ { "name": "Jakob Ackermann (@das7pad)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1705", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1751", "modified": "2024-05-20T16:03:47Z", "published": "2023-05-05T21:10:20Z", "aliases": [ "CVE-2023-24539" ], "summary": "Improper sanitization of CSS values in html/template", "details": "Angle brackets (\u003c\u003e) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.9" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "cssValueFilter", "escaper.commit" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59720" }, { "type": "FIX", "url": "https://go.dev/cl/491615" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1751", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1752", "modified": "2024-05-20T16:03:47Z", "published": "2023-05-05T21:10:22Z", "aliases": [ "CVE-2023-24540" ], "summary": "Improper handling of JavaScript whitespace in html/template", "details": "Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.9" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "nextJSCtx" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59721" }, { "type": "FIX", "url": "https://go.dev/cl/491616" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1752", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1753", "modified": "2024-05-20T16:03:47Z", "published": "2023-05-05T21:10:24Z", "aliases": [ "CVE-2023-29400" ], "summary": "Improper handling of empty HTML attributes in html/template", "details": "Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.9" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "appendCmd", "htmlNospaceEscaper" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/59722" }, { "type": "FIX", "url": "https://go.dev/cl/491617" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1753", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1840", "modified": "2024-05-20T16:03:47Z", "published": "2023-06-08T20:16:06Z", "aliases": [ "CVE-2023-29403" ], "summary": "Unsafe behavior in setuid/setgid binaries in runtime", "details": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.10" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "runtime" } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/60272" }, { "type": "FIX", "url": "https://go.dev/cl/501223" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ" } ], "credits": [ { "name": "Vincent Dehors from Synacktiv" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1840", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1878", "modified": "2024-05-20T16:03:47Z", "published": "2023-07-11T19:19:08Z", "aliases": [ "CVE-2023-29406" ], "summary": "Insufficient sanitization of Host header in net/http", "details": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.\n\nWith fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.11" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.CloseIdleConnections", "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "Post", "PostForm", "Request.Write", "Request.WriteProxy", "Request.write", "Transport.CancelRequest", "Transport.CloseIdleConnections", "Transport.RoundTrip" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/60374" }, { "type": "FIX", "url": "https://go.dev/cl/506996" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/2q13H6LEEx0" } ], "credits": [ { "name": "Bartek Nowotarski" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1878", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1987", "modified": "2024-05-20T16:03:47Z", "published": "2023-08-02T17:25:58Z", "aliases": [ "CVE-2023-29409" ], "summary": "Large RSA keys can cause high CPU usage in crypto/tls", "details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.\n\nWith fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits.\n\nBased on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.12" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.7" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.0-rc.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Conn.processCertsFromClient", "Conn.verifyServerCertificate", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/61460" }, { "type": "FIX", "url": "https://go.dev/cl/515257" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ" } ], "credits": [ { "name": "Mateusz Poliwczak" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1987", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2041", "modified": "2024-05-20T16:03:47Z", "published": "2023-09-07T16:11:17Z", "aliases": [ "CVE-2023-39318" ], "summary": "Improper handling of HTML-like comments in script contexts in html/template", "details": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.8" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "escaper.escapeText", "isComment", "tJS", "tLineCmt" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/62196" }, { "type": "FIX", "url": "https://go.dev/cl/526156" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" } ], "credits": [ { "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2041", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2043", "modified": "2024-05-20T16:03:47Z", "published": "2023-09-07T16:11:59Z", "aliases": [ "CVE-2023-39319" ], "summary": "Improper handling of special tags within script contexts in html/template", "details": "The html/template package does not apply the proper rules for handling occurrences of \"\u003cscript\", \"\u003c!--\", and \"\u003c/script\" within JS literals in \u003cscript\u003e contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.8" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "escaper.escapeText", "indexTagEnd", "tSpecialTagEnd" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/62197" }, { "type": "FIX", "url": "https://go.dev/cl/526157" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" } ], "credits": [ { "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2043", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2044", "modified": "2024-05-20T16:03:47Z", "published": "2023-09-07T16:12:03Z", "aliases": [ "CVE-2023-39321" ], "summary": "Panic when processing post-handshake message on QUIC connections in crypto/tls", "details": "Processing an incomplete post-handshake message for a QUIC connection can cause a panic.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.21.0-0" }, { "fixed": "1.21.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "QUICConn.HandleData" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/62266" }, { "type": "FIX", "url": "https://go.dev/cl/523039" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" } ], "credits": [ { "name": "Marten Seemann" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2044", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2045", "modified": "2024-05-20T16:03:47Z", "published": "2023-09-07T16:12:01Z", "aliases": [ "CVE-2023-39322" ], "summary": "Memory exhaustion in QUIC connection handling in crypto/tls", "details": "QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.\n\nWith fix, connections now consistently reject messages larger than 65KiB in size.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.21.0-0" }, { "fixed": "1.21.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "QUICConn.HandleData" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/62266" }, { "type": "FIX", "url": "https://go.dev/cl/523039" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" } ], "credits": [ { "name": "Marten Seemann" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2045", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2102", "modified": "2024-05-20T16:03:47Z", "published": "2023-10-11T16:49:53Z", "aliases": [ "CVE-2023-39325", "GHSA-4374-p667-p6c8" ], "summary": "HTTP/2 rapid reset can cause excessive work in net/http", "details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.10" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.processHeaders", "http2serverConn.runHandler", "http2serverConn.serve", "http2serverConn.upgradeRequest" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.17.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.processHeaders", "serverConn.runHandler", "serverConn.serve", "serverConn.upgradeRequest" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/63417" }, { "type": "FIX", "url": "https://go.dev/cl/534215" }, { "type": "FIX", "url": "https://go.dev/cl/534235" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2102", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2185", "modified": "2024-05-20T16:03:47Z", "published": "2023-11-08T22:42:14Z", "aliases": [ "CVE-2023-45283" ], "summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath", "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.11" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Abs", "Base", "Clean", "Dir", "EvalSymlinks", "Glob", "IsLocal", "Join", "Rel", "Split", "VolumeName", "Walk", "WalkDir", "join", "volumeNameLen" ] }, { "path": "internal/safefilepath", "goos": [ "windows" ], "symbols": [ "FromFS", "fromFS" ] } ] } }, { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.20.11" }, { "fixed": "1.20.12" }, { "introduced": "1.21.4" }, { "fixed": "1.21.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Abs", "Base", "Clean", "Dir", "EvalSymlinks", "Glob", "IsLocal", "Join", "Rel", "Split", "VolumeName", "Walk", "WalkDir", "volumeNameLen" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/63713" }, { "type": "FIX", "url": "https://go.dev/cl/540277" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" }, { "type": "REPORT", "url": "https://go.dev/issue/64028" }, { "type": "FIX", "url": "https://go.dev/cl/541175" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2185", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2185", "modified": "2024-05-20T16:03:47Z", "published": "2023-11-08T22:42:14Z", "aliases": [ "CVE-2023-45283" ], "summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath", "details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.\n\nUPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.11" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Abs", "Base", "Clean", "Dir", "EvalSymlinks", "Glob", "IsLocal", "Join", "Rel", "Split", "VolumeName", "Walk", "WalkDir", "join", "volumeNameLen" ] }, { "path": "internal/safefilepath", "goos": [ "windows" ], "symbols": [ "FromFS", "fromFS" ] } ] } }, { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.20.11" }, { "fixed": "1.20.12" }, { "introduced": "1.21.4" }, { "fixed": "1.21.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "goos": [ "windows" ], "symbols": [ "Abs", "Base", "Clean", "Dir", "EvalSymlinks", "Glob", "IsLocal", "Join", "Rel", "Split", "VolumeName", "Walk", "WalkDir", "volumeNameLen" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/63713" }, { "type": "FIX", "url": "https://go.dev/cl/540277" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" }, { "type": "REPORT", "url": "https://go.dev/issue/64028" }, { "type": "FIX", "url": "https://go.dev/cl/541175" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2185", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2186", "modified": "2024-05-20T16:03:47Z", "published": "2023-11-08T22:42:19Z", "aliases": [ "CVE-2023-45284" ], "summary": "Incorrect detection of reserved device names on Windows in path/filepath", "details": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases.\n\nReserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local.\n\nWith fix, IsLocal now correctly reports these names as non-local.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.11" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "path/filepath", "symbols": [ "IsLocal" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/63713" }, { "type": "FIX", "url": "https://go.dev/cl/540277" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2186", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2375", "modified": "2024-05-20T16:03:47Z", "published": "2023-12-05T16:16:44Z", "aliases": [ "CVE-2023-45287" ], "summary": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel", "details": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits.\n\nIn Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext", "rsaKeyAgreement.generateClientKeyExchange", "rsaKeyAgreement.processClientKeyExchange" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/20654" }, { "type": "FIX", "url": "https://go.dev/cl/326012/26" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA" }, { "type": "ARTICLE", "url": "https://people.redhat.com/~hkario/marvin/" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2375", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2382", "modified": "2024-05-20T16:03:47Z", "published": "2023-12-06T16:22:36Z", "aliases": [ "CVE-2023-39326" ], "summary": "Denial of service via chunk extensions in net/http", "details": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.\n\nA malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.\n\nChunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.12" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/internal", "symbols": [ "chunkedReader.Read", "chunkedReader.beginChunk", "readChunkLine" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/64433" }, { "type": "FIX", "url": "https://go.dev/cl/547335" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" } ], "credits": [ { "name": "Bartek Nowotarski" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2382", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2598", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T22:14:58Z", "aliases": [ "CVE-2024-24783" ], "summary": "Verify panics on certificates with an unknown public key algorithm in crypto/x509", "details": "Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.\n\nThis affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.8" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify", "Certificate.buildChains" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65390" }, { "type": "FIX", "url": "https://go.dev/cl/569339" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" } ], "credits": [ { "name": "John Howard (Google)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2598", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2599", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T22:15:00Z", "aliases": [ "CVE-2023-45290" ], "summary": "Memory exhaustion in multipart form parsing in net/textproto and net/http", "details": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.\n\nWith fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.8" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/textproto", "symbols": [ "Reader.ReadCodeLine", "Reader.ReadContinuedLine", "Reader.ReadContinuedLineBytes", "Reader.ReadDotLines", "Reader.ReadLine", "Reader.ReadLineBytes", "Reader.ReadMIMEHeader", "Reader.ReadResponse", "Reader.readContinuedLineSlice", "Reader.readLineSlice" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65383" }, { "type": "FIX", "url": "https://go.dev/cl/569341" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" } ], "credits": [ { "name": "Bartek Nowotarski" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2599", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2600", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T22:15:02Z", "aliases": [ "CVE-2023-45289" ], "summary": "Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http", "details": "When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as \"Authorization\" or \"Cookie\". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.\n\nA maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.8" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "Post", "PostForm", "isDomainOrSubdomain" ] }, { "path": "net/http/cookiejar", "symbols": [ "Jar.Cookies", "Jar.SetCookies", "isIP" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65065" }, { "type": "FIX", "url": "https://go.dev/cl/569340" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2600", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2609", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T22:15:04Z", "aliases": [ "CVE-2024-24784" ], "summary": "Comments in display names are incorrectly handled in net/mail", "details": "The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.8" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/mail", "symbols": [ "Address.String", "AddressParser.Parse", "AddressParser.ParseList", "Header.AddressList", "ParseAddress", "ParseAddressList", "addrParser.consumeGroupList", "addrParser.consumePhrase", "isAtext" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65083" }, { "type": "FIX", "url": "https://go.dev/cl/555596" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" } ], "credits": [ { "name": "Juho Nurminen of Mattermost" }, { "name": "Slonser (https://github.com/Slonser)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2609", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2610", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T22:15:40Z", "aliases": [ "CVE-2024-24785" ], "summary": "Errors returned from JSON marshaling may break template escaping in html/template", "details": "If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.8" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "escaper.commit", "jsValEscaper" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65697" }, { "type": "FIX", "url": "https://go.dev/cl/564196" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg" } ], "credits": [ { "name": "RyotaK (https://ryotak.net)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2610", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2687", "modified": "2024-05-20T16:03:47Z", "published": "2024-04-03T21:12:01Z", "aliases": [ "CVE-2023-45288", "GHSA-4v7x-pqxf-cx7m" ], "summary": "HTTP/2 CONTINUATION flood in net/http", "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.9" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "CanonicalHeaderKey", "Client.CloseIdleConnections", "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Cookie.String", "Cookie.Valid", "Dir.Open", "Error", "Get", "HandlerFunc.ServeHTTP", "Head", "Header.Add", "Header.Del", "Header.Get", "Header.Set", "Header.Values", "Header.Write", "Header.WriteSubset", "ListenAndServe", "ListenAndServeTLS", "NewRequest", "NewRequestWithContext", "NotFound", "ParseTime", "Post", "PostForm", "ProxyFromEnvironment", "ReadRequest", "ReadResponse", "Redirect", "Request.AddCookie", "Request.BasicAuth", "Request.FormFile", "Request.FormValue", "Request.MultipartReader", "Request.ParseForm", "Request.ParseMultipartForm", "Request.PostFormValue", "Request.Referer", "Request.SetBasicAuth", "Request.UserAgent", "Request.Write", "Request.WriteProxy", "Response.Cookies", "Response.Location", "Response.Write", "ResponseController.EnableFullDuplex", "ResponseController.Flush", "ResponseController.Hijack", "ResponseController.SetReadDeadline", "ResponseController.SetWriteDeadline", "Serve", "ServeContent", "ServeFile", "ServeMux.ServeHTTP", "ServeTLS", "Server.Close", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "Server.SetKeepAlivesEnabled", "Server.Shutdown", "SetCookie", "Transport.CancelRequest", "Transport.Clone", "Transport.CloseIdleConnections", "Transport.RoundTrip", "body.Close", "body.Read", "bodyEOFSignal.Close", "bodyEOFSignal.Read", "bodyLocked.Read", "bufioFlushWriter.Write", "cancelTimerBody.Close", "cancelTimerBody.Read", "checkConnErrorWriter.Write", "chunkWriter.Write", "connReader.Read", "connectMethodKey.String", "expectContinueReader.Close", "expectContinueReader.Read", "extraHeader.Write", "fileHandler.ServeHTTP", "fileTransport.RoundTrip", "globalOptionsHandler.ServeHTTP", "gzipReader.Close", "gzipReader.Read", "http2ClientConn.Close", "http2ClientConn.Ping", "http2ClientConn.RoundTrip", "http2ClientConn.Shutdown", "http2ConnectionError.Error", "http2ErrCode.String", "http2FrameHeader.String", "http2FrameType.String", "http2FrameWriteRequest.String", "http2Framer.ReadFrame", "http2Framer.WriteContinuation", "http2Framer.WriteData", "http2Framer.WriteDataPadded", "http2Framer.WriteGoAway", "http2Framer.WriteHeaders", "http2Framer.WritePing", "http2Framer.WritePriority", "http2Framer.WritePushPromise", "http2Framer.WriteRSTStream", "http2Framer.WriteRawFrame", "http2Framer.WriteSettings", "http2Framer.WriteSettingsAck", "http2Framer.WriteWindowUpdate", "http2Framer.readMetaFrame", "http2GoAwayError.Error", "http2Server.ServeConn", "http2Setting.String", "http2SettingID.String", "http2SettingsFrame.ForeachSetting", "http2StreamError.Error", "http2Transport.CloseIdleConnections", "http2Transport.NewClientConn", "http2Transport.RoundTrip", "http2Transport.RoundTripOpt", "http2bufferedWriter.Flush", "http2bufferedWriter.Write", "http2chunkWriter.Write", "http2clientConnPool.GetClientConn", "http2connError.Error", "http2dataBuffer.Read", "http2duplicatePseudoHeaderError.Error", "http2gzipReader.Close", "http2gzipReader.Read", "http2headerFieldNameError.Error", "http2headerFieldValueError.Error", "http2noDialClientConnPool.GetClientConn", "http2noDialH2RoundTripper.RoundTrip", "http2pipe.Read", "http2priorityWriteScheduler.CloseStream", "http2priorityWriteScheduler.OpenStream", "http2pseudoHeaderError.Error", "http2requestBody.Close", "http2requestBody.Read", "http2responseWriter.Flush", "http2responseWriter.FlushError", "http2responseWriter.Push", "http2responseWriter.SetReadDeadline", "http2responseWriter.SetWriteDeadline", "http2responseWriter.Write", "http2responseWriter.WriteHeader", "http2responseWriter.WriteString", "http2roundRobinWriteScheduler.OpenStream", "http2serverConn.CloseConn", "http2serverConn.Flush", "http2stickyErrWriter.Write", "http2transportResponseBody.Close", "http2transportResponseBody.Read", "http2writeData.String", "initALPNRequest.ServeHTTP", "loggingConn.Close", "loggingConn.Read", "loggingConn.Write", "maxBytesReader.Close", "maxBytesReader.Read", "onceCloseListener.Close", "persistConn.Read", "persistConnWriter.ReadFrom", "persistConnWriter.Write", "populateResponse.Write", "populateResponse.WriteHeader", "readTrackingBody.Close", "readTrackingBody.Read", "readWriteCloserBody.Read", "redirectHandler.ServeHTTP", "response.Flush", "response.FlushError", "response.Hijack", "response.ReadFrom", "response.Write", "response.WriteHeader", "response.WriteString", "serverHandler.ServeHTTP", "socksDialer.DialWithConn", "socksUsernamePassword.Authenticate", "stringWriter.WriteString", "timeoutHandler.ServeHTTP", "timeoutWriter.Write", "timeoutWriter.WriteHeader", "transportReadFromServerError.Error" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.23.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "Framer.readMetaFrame", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteScheduler.CloseStream", "priorityWriteScheduler.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "roundRobinWriteScheduler.OpenStream", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "writeData.String" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65051" }, { "type": "FIX", "url": "https://go.dev/cl/576155" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" } ], "credits": [ { "name": "Bartek Nowotarski (https://nowotarski.info/)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2687", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2824", "modified": "2024-05-20T16:03:47Z", "published": "2024-05-07T22:33:51Z", "aliases": [ "CVE-2024-24788" ], "summary": "Malformed DNS message can cause infinite loop in net", "details": "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.22.0-0" }, { "fixed": "1.22.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net", "symbols": [ "Dial", "DialTimeout", "Dialer.Dial", "Dialer.DialContext", "Listen", "ListenConfig.Listen", "ListenConfig.ListenPacket", "ListenPacket", "LookupAddr", "LookupCNAME", "LookupHost", "LookupIP", "LookupMX", "LookupNS", "LookupSRV", "LookupTXT", "ResolveIPAddr", "ResolveTCPAddr", "ResolveUDPAddr", "Resolver.LookupAddr", "Resolver.LookupCNAME", "Resolver.LookupHost", "Resolver.LookupIP", "Resolver.LookupIPAddr", "Resolver.LookupMX", "Resolver.LookupNS", "Resolver.LookupNetIP", "Resolver.LookupSRV", "Resolver.LookupTXT", "extractExtendedRCode" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/66754" }, { "type": "FIX", "url": "https://go.dev/cl/578375" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0" } ], "credits": [ { "name": "@long-name-let-people-remember-you" }, { "name": "Mateusz Poliwczak" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2824", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2887", "modified": "2024-06-04T22:48:55Z", "published": "2024-06-04T22:48:55Z", "aliases": [ "CVE-2024-24790" ], "summary": "Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip", "details": "The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.11" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/netip", "symbols": [ "Addr.IsGlobalUnicast", "Addr.IsInterfaceLocalMulticast", "Addr.IsLinkLocalMulticast", "Addr.IsLoopback", "Addr.IsMulticast", "Addr.IsPrivate" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/590316" }, { "type": "REPORT", "url": "https://go.dev/issue/67680" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" } ], "credits": [ { "name": "Enze Wang of Alioth (@zer0yu)" }, { "name": "Jianjun Chen of Zhongguancun Lab (@chenjj)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2887", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2888", "modified": "2024-06-04T22:48:55Z", "published": "2024-06-04T22:48:55Z", "aliases": [ "CVE-2024-24789" ], "summary": "Mishandling of corrupt central directory record in archive/zip", "details": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.11" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "NewReader", "OpenReader", "findSignatureInBlock" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/585397" }, { "type": "REPORT", "url": "https://go.dev/issue/66869" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" } ], "credits": [ { "name": "Yufan You (@ouuan)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2888", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2963", "modified": "2024-07-02T20:11:00Z", "published": "2024-07-02T20:11:00Z", "aliases": [ "CVE-2024-24791" ], "summary": "Denial of service due to improper 100-continue handling in net/http", "details": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.\n\nAn attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.12" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.CloseIdleConnections", "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "Post", "PostForm", "Transport.CancelRequest", "Transport.CloseIdleConnections", "Transport.RoundTrip", "persistConn.readResponse" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/591255" }, { "type": "REPORT", "url": "https://go.dev/issue/67555" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ" } ], "credits": [ { "name": "Geoff Franks" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2963", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3105", "modified": "2024-09-06T19:15:23Z", "published": "2024-09-06T19:15:23Z", "aliases": [ "CVE-2024-34155" ], "summary": "Stack exhaustion in all Parse functions in go/parser", "details": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.7" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "go/parser", "symbols": [ "ParseDir", "ParseExpr", "ParseExprFrom", "ParseFile", "parser.parseLiteralValue" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/611238" }, { "type": "REPORT", "url": "https://go.dev/issue/69138" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3105", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3106", "modified": "2024-09-06T19:15:23Z", "published": "2024-09-06T19:15:23Z", "aliases": [ "CVE-2024-34156" ], "summary": "Stack exhaustion in Decoder.Decode in encoding/gob", "details": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.7" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/gob", "symbols": [ "Decoder.Decode", "Decoder.DecodeValue", "Decoder.decIgnoreOpFor" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/611239" }, { "type": "REPORT", "url": "https://go.dev/issue/69139" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" } ], "credits": [ { "name": "Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3106", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3107", "modified": "2024-09-06T19:15:23Z", "published": "2024-09-06T19:15:23Z", "aliases": [ "CVE-2024-34158" ], "summary": "Stack exhaustion in Parse in go/build/constraint", "details": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.7" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "go/build/constraint", "symbols": [ "Parse", "exprParser.not", "parsePlusBuildExpr" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/611240" }, { "type": "REPORT", "url": "https://go.dev/issue/69141" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3107", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3373", "modified": "2025-01-30T18:58:58Z", "published": "2025-01-28T00:47:30Z", "aliases": [ "CVE-2024-45341" ], "summary": "Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509", "details": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\nCertificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.11" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.5" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.0-rc.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "CertPool.AppendCertsFromPEM", "Certificate.CheckCRLSignature", "Certificate.CheckSignature", "Certificate.CheckSignatureFrom", "Certificate.CreateCRL", "Certificate.Verify", "Certificate.VerifyHostname", "CertificateRequest.CheckSignature", "CreateCertificate", "CreateCertificateRequest", "CreateRevocationList", "DecryptPEMBlock", "EncryptPEMBlock", "HostnameError.Error", "MarshalECPrivateKey", "MarshalPKCS1PrivateKey", "MarshalPKCS1PublicKey", "MarshalPKCS8PrivateKey", "MarshalPKIXPublicKey", "ParseCRL", "ParseCertificate", "ParseCertificateRequest", "ParseCertificates", "ParseDERCRL", "ParseECPrivateKey", "ParsePKCS1PrivateKey", "ParsePKCS1PublicKey", "ParsePKCS8PrivateKey", "ParsePKIXPublicKey", "ParseRevocationList", "RevocationList.CheckSignatureFrom", "SetFallbackRoots", "SystemCertPool", "matchURIConstraint" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/643099" }, { "type": "REPORT", "url": "https://go.dev/issue/71156" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" } ], "credits": [ { "name": "Juho Forsén of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3373", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3420", "modified": "2025-01-30T18:58:58Z", "published": "2025-01-28T00:47:30Z", "aliases": [ "CVE-2024-45336" ], "summary": "Sensitive headers incorrectly sent after cross-domain redirect in net/http", "details": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.11" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.5" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.0-rc.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Client.do", "Client.makeHeadersCopier", "Get", "Head", "Post", "PostForm", "shouldCopyHeaderOnRedirect" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/643100" }, { "type": "REPORT", "url": "https://go.dev/issue/70530" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" } ], "credits": [ { "name": "Kyle Seely" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3420", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3421", "modified": "2025-01-30T18:58:58Z", "published": "2025-01-28T00:47:30Z", "aliases": [ "CVE-2025-22865" ], "summary": "ParsePKCS1PrivateKey panic with partial keys in crypto/x509", "details": "Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.24.0-0" }, { "fixed": "1.24.0-rc.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "ParsePKCS1PrivateKey" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/643098" }, { "type": "REPORT", "url": "https://go.dev/issue/71216" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3421", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3447", "modified": "2025-02-06T16:38:14Z", "published": "2025-02-06T16:38:14Z", "aliases": [ "CVE-2025-22866" ], "summary": "Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec", "details": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.22.12" }, { "introduced": "1.23.0-0" }, { "fixed": "1.23.6" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.0-rc.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/internal/nistec", "goarch": [ "ppc64le" ], "symbols": [ "P256Point.ScalarBaseMult", "P256Point.ScalarMult", "P256Point.SetBytes", "p256NegCond" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/643735" }, { "type": "REPORT", "url": "https://go.dev/issue/71383" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3447", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3563", "modified": "2025-04-08T19:46:23Z", "published": "2025-04-08T19:46:23Z", "aliases": [ "CVE-2025-22871" ], "summary": "Request smuggling due to acceptance of invalid chunked data in net/http", "details": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.8" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/internal", "symbols": [ "chunkedReader.Read", "readChunkLine" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/652998" }, { "type": "REPORT", "url": "https://go.dev/issue/71988" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk" } ], "credits": [ { "name": "Jeppe Bonde Weikop" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3563", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3749", "modified": "2025-06-16T20:08:41Z", "published": "2025-06-11T16:23:50Z", "aliases": [ "CVE-2025-22874" ], "summary": "Usage of ExtKeyUsageAny disables policy validation in crypto/x509", "details": "Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.24.0-0" }, { "fixed": "1.24.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/670375" }, { "type": "REPORT", "url": "https://go.dev/issue/73612" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" } ], "credits": [ { "name": "Krzysztof Skrzętnicki (@Tener) of Teleport" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3749", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3750", "modified": "2025-06-11T16:59:06Z", "published": "2025-06-11T16:59:06Z", "aliases": [ "CVE-2025-0913" ], "summary": "Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall", "details": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.10" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "syscall", "goos": [ "windows" ], "symbols": [ "Open" ] }, { "path": "os", "goos": [ "windows" ], "symbols": [ "Chdir", "Chmod", "Chown", "CopyFS", "Create", "CreateTemp", "File.ReadDir", "File.Readdir", "File.Readdirnames", "Getwd", "Lchown", "Link", "Lstat", "Mkdir", "MkdirAll", "MkdirTemp", "NewFile", "Open", "OpenFile", "OpenInRoot", "OpenRoot", "Pipe", "ReadDir", "ReadFile", "Remove", "RemoveAll", "Rename", "Root.Create", "Root.Lstat", "Root.Mkdir", "Root.Open", "Root.OpenFile", "Root.OpenRoot", "Root.Remove", "Root.Stat", "StartProcess", "Stat", "Symlink", "Truncate", "WriteFile", "dirFS.Open", "dirFS.ReadDir", "dirFS.ReadFile", "dirFS.Stat", "rootFS.Open", "rootFS.ReadDir", "rootFS.ReadFile", "rootFS.Stat", "unixDirent.Info" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/672396" }, { "type": "REPORT", "url": "https://go.dev/issue/73702" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" } ], "credits": [ { "name": "Junyoung Park and Dong-uk Kim of KAIST Hacking Lab" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3750", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3751", "modified": "2025-06-11T16:23:58Z", "published": "2025-06-11T16:23:58Z", "aliases": [ "CVE-2025-4673" ], "summary": "Sensitive headers not cleared on cross-origin redirect in net/http", "details": "Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.10" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Client.makeHeadersCopier", "Get", "Head", "Post", "PostForm" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/679257" }, { "type": "REPORT", "url": "https://go.dev/issue/73816" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A" } ], "credits": [ { "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3751", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3849", "modified": "2025-08-07T15:07:27Z", "published": "2025-08-07T15:07:27Z", "aliases": [ "CVE-2025-47907" ], "summary": "Incorrect results returned from Rows.Scan in database/sql", "details": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.12" }, { "introduced": "1.24.0" }, { "fixed": "1.24.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "database/sql", "symbols": [ "Row.Scan", "Rows.Scan" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/693735" }, { "type": "REPORT", "url": "https://go.dev/issue/74831" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM" } ], "credits": [ { "name": "Spike Curtis from Coder" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3849", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3955", "modified": "2025-09-22T20:48:35Z", "published": "2025-09-22T20:48:35Z", "aliases": [ "CVE-2025-47910", "CVE-2025-47910" ], "summary": "CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http", "details": "When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.25.0" }, { "fixed": "1.25.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "CrossOriginProtection.AddInsecureBypassPattern" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/699275" }, { "type": "REPORT", "url": "https://go.dev/issue/75054" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3955", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3956", "modified": "2025-09-18T18:21:44Z", "published": "2025-09-18T18:21:44Z", "aliases": [ "CVE-2025-47906", "CVE-2025-47906" ], "summary": "Unexpected paths returned from LookPath in os/exec", "details": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.12" }, { "introduced": "1.24.0" }, { "fixed": "1.24.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "os/exec", "symbols": [ "LookPath" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/691775" }, { "type": "REPORT", "url": "https://go.dev/issue/74466" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3956", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4006", "modified": "2025-12-09T17:20:47Z", "published": "2025-10-29T21:48:35Z", "aliases": [ "CVE-2025-61725", "CVE-2025-61725" ], "summary": "Excessive CPU consumption in ParseAddress in net/mail", "details": "The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/mail", "symbols": [ "AddressParser.Parse", "AddressParser.ParseList", "Header.AddressList", "ParseAddress", "ParseAddressList", "addrParser.consumeDomainLiteral" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/709860" }, { "type": "REPORT", "url": "https://go.dev/issue/75680" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4006", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4007", "modified": "2025-11-20T22:03:19Z", "published": "2025-10-29T21:49:50Z", "aliases": [ "CVE-2025-58187", "CVE-2025-58187" ], "summary": "Quadratic complexity when checking name constraints in crypto/x509", "details": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.\n\nThis affects programs which validate arbitrary certificate chains.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.9" }, { "introduced": "1.25.0" }, { "fixed": "1.25.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "CertPool.AppendCertsFromPEM", "Certificate.CheckCRLSignature", "Certificate.CheckSignature", "Certificate.CheckSignatureFrom", "Certificate.CreateCRL", "Certificate.Verify", "CertificateRequest.CheckSignature", "CreateCertificate", "CreateCertificateRequest", "CreateRevocationList", "DecryptPEMBlock", "EncryptPEMBlock", "MarshalECPrivateKey", "MarshalPKCS1PrivateKey", "MarshalPKCS1PublicKey", "MarshalPKCS8PrivateKey", "MarshalPKIXPublicKey", "ParseCRL", "ParseCertificate", "ParseCertificateRequest", "ParseCertificates", "ParseDERCRL", "ParseECPrivateKey", "ParsePKCS1PrivateKey", "ParsePKCS1PublicKey", "ParsePKCS8PrivateKey", "ParsePKIXPublicKey", "ParseRevocationList", "RevocationList.CheckSignatureFrom", "SetFallbackRoots", "SystemCertPool", "domainToReverseLabels", "parseSANExtension" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/75681" }, { "type": "FIX", "url": "https://go.dev/cl/709854" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4007", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4008", "modified": "2025-10-29T21:49:53Z", "published": "2025-10-29T21:49:53Z", "aliases": [ "CVE-2025-58189", "CVE-2025-58189" ], "summary": "ALPN negotiation error contains attacker controlled information in crypto/tls", "details": "When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext", "QUICConn.Start", "negotiateALPN" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/707776" }, { "type": "REPORT", "url": "https://go.dev/issue/75652" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "National Cyber Security Centre Finland" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4008", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4009", "modified": "2025-10-29T21:49:55Z", "published": "2025-10-29T21:49:55Z", "aliases": [ "CVE-2025-61723", "CVE-2025-61723" ], "summary": "Quadratic complexity when parsing some invalid inputs in encoding/pem", "details": "The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.\n\nThis affects programs which parse untrusted PEM inputs.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/pem", "symbols": [ "Decode", "getLine" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/75676" }, { "type": "FIX", "url": "https://go.dev/cl/709858" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4009", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4010", "modified": "2025-10-29T21:49:58Z", "published": "2025-10-29T21:49:58Z", "aliases": [ "CVE-2025-47912", "CVE-2025-47912" ], "summary": "Insufficient validation of bracketed IPv6 hostnames in net/url", "details": "The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: \"http://[::1]/\". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/url", "symbols": [ "JoinPath", "Parse", "ParseRequestURI", "URL.Parse", "URL.UnmarshalBinary", "parseHost" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/75678" }, { "type": "FIX", "url": "https://go.dev/cl/709857" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4010", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4011", "modified": "2025-10-29T21:50:00Z", "published": "2025-10-29T21:50:00Z", "aliases": [ "CVE-2025-58185", "CVE-2025-58185" ], "summary": "Parsing DER payload can cause memory exhaustion in encoding/asn1", "details": "Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "encoding/asn1", "symbols": [ "Unmarshal", "UnmarshalWithParams", "parseSequenceOf" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/75671" }, { "type": "FIX", "url": "https://go.dev/cl/709856" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4011", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4012", "modified": "2025-10-29T21:50:05Z", "published": "2025-10-29T21:50:05Z", "aliases": [ "CVE-2025-58186", "CVE-2025-58186" ], "summary": "Lack of limit when parsing cookies can cause memory exhaustion in net/http", "details": "Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "ParseCookie", "Post", "PostForm", "Request.Cookie", "Request.Cookies", "Request.CookiesNamed", "Response.Cookies", "readCookies", "readSetCookies" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/75672" }, { "type": "FIX", "url": "https://go.dev/cl/709855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "jub0bs" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4012", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4013", "modified": "2025-10-29T21:50:08Z", "published": "2025-10-29T21:50:08Z", "aliases": [ "CVE-2025-58188", "CVE-2025-58188" ], "summary": "Panic when validating certificates with DSA public keys in crypto/x509", "details": "Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.\n\nThis affects programs which validate arbitrary certificate chains.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify", "alreadyInChain" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/709853" }, { "type": "REPORT", "url": "https://go.dev/issue/75675" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4013", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4014", "modified": "2025-10-29T21:51:04Z", "published": "2025-10-29T21:51:04Z", "aliases": [ "CVE-2025-58183", "CVE-2025-58183" ], "summary": "Unbounded allocation when parsing GNU sparse map in archive/tar", "details": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/tar", "symbols": [ "Reader.Next", "readGNUSparseMap1x0" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/709861" }, { "type": "REPORT", "url": "https://go.dev/issue/75677" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Harshit Gupta (Mr HAX)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4014", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4015", "modified": "2025-10-29T21:51:07Z", "published": "2025-10-29T21:51:07Z", "aliases": [ "CVE-2025-61724", "CVE-2025-61724" ], "summary": "Excessive CPU consumption in Reader.ReadResponse in net/textproto", "details": "The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.8" }, { "introduced": "1.25.0" }, { "fixed": "1.25.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/textproto", "symbols": [ "Reader.ReadResponse" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/709859" }, { "type": "REPORT", "url": "https://go.dev/issue/75716" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4015", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4155", "modified": "2025-12-03T17:43:24Z", "published": "2025-12-02T18:30:24Z", "aliases": [ "CVE-2025-61729", "CVE-2025-61729" ], "summary": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509", "details": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.11" }, { "introduced": "1.25.0" }, { "fixed": "1.25.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify", "Certificate.VerifyHostname" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/725920" }, { "type": "REPORT", "url": "https://go.dev/issue/76445" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4155", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-4175", "modified": "2025-12-02T20:55:55Z", "published": "2025-12-02T20:55:55Z", "aliases": [ "CVE-2025-61727" ], "summary": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509", "details": "An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.11" }, { "introduced": "1.25.0" }, { "fixed": "1.25.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/723900" }, { "type": "REPORT", "url": "https://go.dev/issue/76442" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-4175", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4337", "modified": "2026-02-05T17:23:09Z", "published": "2026-02-05T17:23:09Z", "aliases": [ "CVE-2025-68121" ], "summary": "Unexpected session resumption in crypto/tls", "details": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.13" }, { "introduced": "1.25.0-0" }, { "fixed": "1.25.7" }, { "introduced": "1.26.0-rc.1" }, { "fixed": "1.26.0-rc.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Conn.handshakeContext", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext", "QUICConn.Start" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk" }, { "type": "FIX", "url": "https://go.dev/cl/737700" }, { "type": "REPORT", "url": "https://go.dev/issue/77217" } ], "credits": [ { "name": "Coia Prant (github.com/rbqvq)" }, { "name": "Go Security Team" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4337", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4340", "modified": "2026-01-28T19:08:09Z", "published": "2026-01-28T19:08:09Z", "aliases": [ "CVE-2025-61730", "CVE-2025-61730" ], "summary": "Handshake messages may be processed at the incorrect encryption level in crypto/tls", "details": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.12" }, { "introduced": "1.25.0" }, { "fixed": "1.25.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/tls", "symbols": [ "Conn.Handshake", "Conn.HandshakeContext", "Conn.Read", "Conn.Write", "Conn.handleKeyUpdate", "Conn.handshakeContext", "Conn.quicSetReadSecret", "Dial", "DialWithDialer", "Dialer.Dial", "Dialer.DialContext", "QUICConn.HandleData", "QUICConn.Start", "clientHandshakeStateTLS13.establishHandshakeKeys", "clientHandshakeStateTLS13.readServerFinished", "clientHandshakeStateTLS13.sendClientFinished", "serverHandshakeStateTLS13.checkForResumption", "serverHandshakeStateTLS13.doHelloRetryRequest", "serverHandshakeStateTLS13.readClientFinished", "serverHandshakeStateTLS13.sendServerFinished", "serverHandshakeStateTLS13.sendServerParameters" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/724120" }, { "type": "REPORT", "url": "https://go.dev/issue/76443" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" } ], "credits": [ { "name": "Coia Prant (github.com/rbqvq)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4340", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4341", "modified": "2026-01-28T19:08:18Z", "published": "2026-01-28T19:08:18Z", "aliases": [ "CVE-2025-61726", "CVE-2025-61726" ], "summary": "Memory exhaustion in query parameter parsing in net/url", "details": "The net/url package does not set a limit on the number of query parameters in a query.\n\nWhile the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.12" }, { "introduced": "1.25.0" }, { "fixed": "1.25.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/url", "symbols": [ "ParseQuery", "URL.Query", "parseQuery" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/736712" }, { "type": "REPORT", "url": "https://go.dev/issue/77101" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" } ], "credits": [ { "name": "jub0bs" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4341", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4342", "modified": "2026-01-28T19:08:28Z", "published": "2026-01-28T19:08:28Z", "aliases": [ "CVE-2025-61728", "CVE-2025-61728" ], "summary": "Excessive CPU consumption when building archive index in archive/zip", "details": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.12" }, { "introduced": "1.25.0" }, { "fixed": "1.25.6" } ] } ], "ecosystem_specific": { "imports": [ { "path": "archive/zip", "symbols": [ "Reader.Open", "Reader.initFileList" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/736713" }, { "type": "REPORT", "url": "https://go.dev/issue/77102" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4342", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4403", "modified": "2026-02-04T22:42:26Z", "published": "2026-02-04T22:42:26Z", "aliases": [ "CVE-2025-22873" ], "summary": "Improper access to parent directory of root in os", "details": "It was possible to improperly access the parent directory of an os.Root by opening a filename ending in \"../\". For example, Root.Open(\"../\") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.23.9" }, { "introduced": "1.24.0-0" }, { "fixed": "1.24.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "os", "symbols": [ "checkPathEscapesInternal", "doInRoot", "splitPathInRoot" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/670036" }, { "type": "REPORT", "url": "https://go.dev/issue/73555" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ" } ], "credits": [ { "name": "Dan Sebastian Thrane of SDU eScience Center" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4403", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4599", "modified": "2026-03-07T17:04:32Z", "published": "2026-03-06T21:03:42Z", "aliases": [ "CVE-2026-27137" ], "summary": "Incorrect enforcement of email constraints in crypto/x509", "details": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.26.0-0" }, { "fixed": "1.26.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify", "checkChainConstraints", "checkConstraints", "emailConstraints.query", "newEmailConstraints", "parseMailboxes" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/752182" }, { "type": "REPORT", "url": "https://go.dev/issue/77952" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4599", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4600", "modified": "2026-03-07T17:04:32Z", "published": "2026-03-06T21:03:42Z", "aliases": [ "CVE-2026-27138" ], "summary": "Panic in name constraint checking for malformed certificates in crypto/x509", "details": "Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.26.0-0" }, { "fixed": "1.26.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "crypto/x509", "symbols": [ "Certificate.Verify", "dnsConstraints.query" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" }, { "type": "REPORT", "url": "https://go.dev/issue/77953" }, { "type": "FIX", "url": "https://go.dev/cl/752183" } ], "credits": [ { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4600", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4601", "modified": "2026-03-06T21:03:42Z", "published": "2026-03-06T21:03:42Z", "aliases": [ "CVE-2026-25679" ], "summary": "Incorrect parsing of IPv6 host literals in net/url", "details": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.25.8" }, { "introduced": "1.26.0-0" }, { "fixed": "1.26.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/url", "symbols": [ "JoinPath", "Parse", "ParseRequestURI", "URL.Parse", "URL.UnmarshalBinary", "parseHost" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/752180" }, { "type": "REPORT", "url": "https://go.dev/issue/77578" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" } ], "credits": [ { "name": "Masaki Hara (https://github.com/qnighy) of Wantedly" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4601", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4602", "modified": "2026-03-06T21:03:42Z", "published": "2026-03-06T21:03:42Z", "aliases": [ "CVE-2026-27139" ], "summary": "FileInfo can escape from a Root in os", "details": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.\n\nThe impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.25.8" }, { "introduced": "1.26.0-0" }, { "fixed": "1.26.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "os", "symbols": [ "File.ReadDir", "File.Readdir", "ReadDir", "dirFS.ReadDir", "rootFS.ReadDir" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" }, { "type": "REPORT", "url": "https://go.dev/issue/77827" }, { "type": "FIX", "url": "https://go.dev/cl/749480" } ], "credits": [ { "name": "Miloslav Trmač of Red Hat" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4602", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4603", "modified": "2026-03-06T21:03:42Z", "published": "2026-03-06T21:03:42Z", "aliases": [ "CVE-2026-27142" ], "summary": "URLs in meta content attribute actions are not escaped in html/template", "details": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\".\n\nA new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.25.8" }, { "introduced": "1.26.0-0" }, { "fixed": "1.26.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "html/template", "symbols": [ "Template.Execute", "Template.ExecuteTemplate", "escaper.escapeAction", "tTag" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk" }, { "type": "REPORT", "url": "https://go.dev/issue/77954" }, { "type": "FIX", "url": "https://go.dev/cl/752081" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4603", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2020-0001", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-36567", "GHSA-6vm3-jj99-7229" ], "summary": "Arbitrary log line injection in github.com/gin-gonic/gin", "details": "The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.", "affected": [ { "package": { "name": "github.com/gin-gonic/gin", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/gin-gonic/gin", "symbols": [ "Default", "Logger", "LoggerWithConfig", "LoggerWithFormatter", "LoggerWithWriter" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gin-gonic/gin/pull/2237" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" } ], "credits": [ { "name": "@thinkerou \u003cthinkerou@gmail.com\u003e" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2020-0001", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0052", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2020-28483", "GHSA-h395-qcrw-5vmq" ], "summary": "Inconsistent interpretation of HTTP Requests in github.com/gin-gonic/gin", "details": "Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.", "affected": [ { "package": { "name": "github.com/gin-gonic/gin", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.7.7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/gin-gonic/gin", "symbols": [ "Context.ClientIP", "Context.Next", "Context.RemoteIP", "Engine.HandleContext", "Engine.Run", "Engine.RunFd", "Engine.RunListener", "Engine.RunTLS", "Engine.RunUnix", "Engine.ServeHTTP" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://github.com/gin-gonic/gin/issues/2862" }, { "type": "REPORT", "url": "https://github.com/gin-gonic/gin/issues/2473" }, { "type": "REPORT", "url": "https://github.com/gin-gonic/gin/issues/2232" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/pull/2844" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/pull/2632" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/pull/2675" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9" }, { "type": "WEB", "url": "https://github.com/gin-gonic/gin/pull/2474" } ], "credits": [ { "name": "@sorenisanerd" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0052", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1737", "modified": "2024-05-20T16:03:47Z", "published": "2023-05-11T18:59:56Z", "aliases": [ "CVE-2023-29401", "GHSA-2c4m-59x9-fr2g" ], "summary": "Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin", "details": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\".\n\nIf the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.", "affected": [ { "package": { "name": "github.com/gin-gonic/gin", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.3.1-0.20190301021747-ccb9e902956d" }, { "fixed": "1.9.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/gin-gonic/gin", "symbols": [ "Context.FileAttachment" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://github.com/gin-gonic/gin/issues/3555" }, { "type": "FIX", "url": "https://github.com/gin-gonic/gin/pull/3556" }, { "type": "WEB", "url": "https://github.com/gin-gonic/gin/releases/tag/v1.9.1" } ], "credits": [ { "name": "motoyasu-saburi" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1737", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0322", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:29:02Z", "aliases": [ "CVE-2022-21698", "GHSA-cg3q-j54f-5p7p" ], "summary": "Uncontrolled resource consumption in github.com/prometheus/client_golang", "details": "The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods.\n\nIn order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a \"method\" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown \"method\".", "affected": [ { "package": { "name": "github.com/prometheus/client_golang", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.11.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/prometheus/client_golang/prometheus/promhttp", "symbols": [ "Handler", "HandlerFor", "InstrumentHandlerCounter", "InstrumentHandlerDuration", "InstrumentHandlerRequestSize", "InstrumentHandlerResponseSize", "InstrumentHandlerTimeToWriteHeader", "InstrumentMetricHandler", "InstrumentRoundTripperCounter", "InstrumentRoundTripperDuration", "flusherDelegator.Flush", "readerFromDelegator.ReadFrom", "responseWriterDelegator.Write", "responseWriterDelegator.WriteHeader", "sanitizeMethod" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/prometheus/client_golang/pull/962" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0322", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3540", "modified": "2025-03-26T17:24:24Z", "published": "2025-03-26T17:24:24Z", "aliases": [ "CVE-2025-29923", "GHSA-92cp-5422-2mw7" ], "summary": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "details": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "affected": [ { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v7", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v8", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.5.1" }, { "fixed": "9.5.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "9.6.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.7.0-beta.1" }, { "fixed": "9.7.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/pull/3295" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3540", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3540", "modified": "2025-03-26T17:24:24Z", "published": "2025-03-26T17:24:24Z", "aliases": [ "CVE-2025-29923", "GHSA-92cp-5422-2mw7" ], "summary": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "details": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "affected": [ { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v7", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v8", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.5.1" }, { "fixed": "9.5.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "9.6.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.7.0-beta.1" }, { "fixed": "9.7.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/pull/3295" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3540", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3540", "modified": "2025-03-26T17:24:24Z", "published": "2025-03-26T17:24:24Z", "aliases": [ "CVE-2025-29923", "GHSA-92cp-5422-2mw7" ], "summary": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "details": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis", "affected": [ { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v7", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v8", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.5.1" }, { "fixed": "9.5.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "9.6.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } }, { "package": { "name": "github.com/redis/go-redis/v9", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "9.7.0-beta.1" }, { "fixed": "9.7.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/redis/go-redis/v9", "symbols": [ "baseClient.initConn", "redis.ClusterOptions", "redis.FailoverOptions", "redis.RingOptions", "redis.UniversalOptions" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6" }, { "type": "FIX", "url": "https://github.com/redis/go-redis/pull/3295" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3540", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2020-0014", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2018-17846", "GHSA-vfw5-hrgq-h5wf" ], "summary": "Infinite loop due to improper handling of \"select\" tags in golang.org/x/net/html", "details": "html.Parse does not properly handle \"select\" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190125091013-d26f9f9a57f3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "inSelectIM", "inSelectInTableIM" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go-review.googlesource.com/c/137275" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf" }, { "type": "REPORT", "url": "https://go.dev/issue/27842" } ], "credits": [ { "name": "@tr3ee" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2020-0014", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0078", "modified": "2024-05-20T16:03:47Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2018-17075", "GHSA-5p4h-3377-7w67" ], "summary": "Panic when parsing malformed HTML in golang.org/x/net/html", "details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made to panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating on user input, this may be a vector for a denial of service attack.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20180816102801-aaf60122140d" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "inBodyIM", "inFramesetIM" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/123776" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50" }, { "type": "REPORT", "url": "https://go.dev/issue/27016" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668" }, { "type": "WEB", "url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906" } ], "credits": [ { "name": "Kunpei Sakai" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0078", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2021-0238", "modified": "2024-05-20T16:03:47Z", "published": "2022-02-17T17:33:43Z", "aliases": [ "CVE-2021-33194", "GHSA-83g2-8m93-v3w7" ], "summary": "Infinite loop when parsing inputs in golang.org/x/net/html", "details": "An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20210520170846-37e1c6afe023" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions", "inHeadIM" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/311090" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7" }, { "type": "REPORT", "url": "https://go.dev/issue/46288" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/wPunbCPkWUg" } ], "credits": [ { "name": "OSS-Fuzz (discovery)" }, { "name": "Andrew Thornton (reporter)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0238", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0192", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:11:34Z", "aliases": [ "CVE-2018-17142", "GHSA-2wp2-chmh-r934" ], "summary": "Incorrect parsing of nested templates in golang.org/x/net/html", "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003cmath\u003e\u003ctemplate\u003e\u003cmo\u003e\u003ctemplate\u003e\".", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20180925071336-cf3bd585ca2a" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "parser.resetInsertionMode" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/136875" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/cf3bd585ca2a5a21b057abd8be7eea2204af89d0" }, { "type": "REPORT", "url": "https://go.dev/issue/27702" } ], "credits": [ { "name": "@tr3ee" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0192", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0193", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-06T18:14:54Z", "aliases": [ "CVE-2018-17143", "GHSA-fcf9-6fv2-fc5v" ], "summary": "Panic on unconsidered isindex and template combination in golang.org/x/net/html", "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003ctemplate\u003e\u003ctBody\u003e\u003cisindex/action=0\u003e\".", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20180921000356-2f5d2388922f" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "inBodyIM" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go-review.googlesource.com/c/net/+/136575" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/2f5d2388922f370f4355f327fcf4cfe9f5583908" }, { "type": "REPORT", "url": "https://go.dev/issue/27704" } ], "credits": [ { "name": "@tr3ee" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0193", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0197", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-01T20:15:19Z", "aliases": [ "CVE-2018-17847", "CVE-2018-17848", "GHSA-4r78-hx75-jjj2", "GHSA-mv93-wvcp-7m7r" ], "summary": "Panic when parsing certain inputs in golang.org/x/net/html", "details": "The Parse function can panic on some invalid inputs.\n\nFor example, the Parse function panics on the input \"\u003csvg\u003e\u003ctemplate\u003e\u003cdesc\u003e\u003ct\u003e\u003csvg\u003e\u003c/template\u003e\".", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190125002852-4b62a64f59f7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "nodeStack.contains" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/159397" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c" }, { "type": "REPORT", "url": "https://go.dev/issue/27846" } ], "credits": [ { "name": "@tr3ee" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0197", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0236", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:04:18Z", "aliases": [ "CVE-2021-31525", "GHSA-h86h-8ppg-mxmh" ], "summary": "Panic due to large headers in net/http and golang.org/x/net/http/httpguts", "details": "A malicious HTTP server or client can cause the net/http client or server to panic.\n\nReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.\n\nThis also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.15.12" }, { "introduced": "1.16.0-0" }, { "fixed": "1.16.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2clientStream.writeRequest", "http2isConnectionCloseRequest", "isProtocolSwitchHeader", "shouldClose" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20210428140749-89ef3d95e781" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http/httpguts", "symbols": [ "HeaderValuesContainsToken", "headerValueContainsToken" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/313069" }, { "type": "FIX", "url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9" }, { "type": "REPORT", "url": "https://go.dev/issue/45710" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0236", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0288", "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:08:33Z", "aliases": [ "CVE-2021-44716", "GHSA-vc3p-29h2-gpcp" ], "summary": "Unbounded memory growth in net/http and golang.org/x/net/http2", "details": "An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.16.12" }, { "introduced": "1.17.0-0" }, { "fixed": "1.17.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20211209124913-491a49abca63" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/369794" }, { "type": "REPORT", "url": "https://go.dev/issue/50058" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/hcmEScgc00k" } ], "credits": [ { "name": "murakmii" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0288", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0536", "modified": "2024-05-20T16:03:47Z", "published": "2022-08-01T22:20:53Z", "aliases": [ "CVE-2019-9512", "CVE-2019-9514", "GHSA-39qc-96h7-956f", "GHSA-hgr8-6h9x-f7q9" ], "summary": "Reset flood in net/http and golang.org/x/net/http", "details": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.11.13" }, { "introduced": "1.12.0-0" }, { "fixed": "1.12.8" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "http2serverConn.scheduleFrameWrite", "http2serverConn.serve", "http2serverConn.writeFrame" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20190813141303-74dc4d7220e7" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.scheduleFrameWrite", "serverConn.serve", "serverConn.writeFrame" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/190137" }, { "type": "FIX", "url": "https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5" }, { "type": "REPORT", "url": "https://go.dev/issue/33606" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ" } ], "credits": [ { "name": "Jonathan Looney of Netflix" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0536", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-0969", "modified": "2024-05-20T16:03:47Z", "published": "2022-09-12T20:23:06Z", "aliases": [ "CVE-2022-27664", "GHSA-69cg-p879-7622" ], "summary": "Denial of service in net/http and golang.org/x/net/http2", "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.6" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.goAway" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20220906165146-f3363e06e74c" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.goAway" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s" }, { "type": "REPORT", "url": "https://go.dev/issue/54658" }, { "type": "FIX", "url": "https://go.dev/cl/428735" } ], "credits": [ { "name": "Bahruz Jabiyev" }, { "name": "Tommaso Innocenti" }, { "name": "Anthony Gavazzi" }, { "name": "Steven Sprecher" }, { "name": "Kaan Onarlioglu" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-0969", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2022-1144", "modified": "2024-05-20T16:03:47Z", "published": "2022-12-08T19:01:21Z", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "summary": "Excessive memory growth in net/http and golang.org/x/net/http2", "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.4" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ], "credits": [ { "name": "Josselin Costanzi" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2022-1144", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1495", "modified": "2024-05-20T16:03:47Z", "published": "2023-01-13T22:39:40Z", "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "summary": "Request smuggling due to improper request handling in golang.org/x/net/http2/h2c", "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ], "credits": [ { "name": "John Howard (Google)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1495", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1571", "modified": "2024-05-20T16:03:47Z", "published": "2023-02-16T22:31:36Z", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "summary": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0-0" }, { "fixed": "1.20.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Get", "Head", "ListenAndServe", "ListenAndServeTLS", "Post", "PostForm", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "Transport.RoundTrip" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteScheduler.CloseStream", "priorityWriteScheduler.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "writeData.String" ] }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "credits": [ { "name": "Philippe Antoine (Catena cyber)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1571", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1988", "modified": "2024-05-20T16:03:47Z", "published": "2023-08-02T15:06:27Z", "aliases": [ "CVE-2023-3978", "GHSA-2wrh-6pvc-2jm9" ], "summary": "Improper rendering of text nodes in golang.org/x/net/html", "details": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.13.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Render", "render1" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/61615" }, { "type": "FIX", "url": "https://go.dev/cl/514896" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1988", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-2102", "modified": "2024-05-20T16:03:47Z", "published": "2023-10-11T16:49:53Z", "aliases": [ "CVE-2023-39325", "GHSA-4374-p667-p6c8" ], "summary": "HTTP/2 rapid reset can cause excessive work in net/http", "details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.10" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.3" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.processHeaders", "http2serverConn.runHandler", "http2serverConn.serve", "http2serverConn.upgradeRequest" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.17.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.processHeaders", "serverConn.runHandler", "serverConn.serve", "serverConn.upgradeRequest" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/63417" }, { "type": "FIX", "url": "https://go.dev/cl/534215" }, { "type": "FIX", "url": "https://go.dev/cl/534235" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2102", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2687", "modified": "2024-05-20T16:03:47Z", "published": "2024-04-03T21:12:01Z", "aliases": [ "CVE-2023-45288", "GHSA-4v7x-pqxf-cx7m" ], "summary": "HTTP/2 CONTINUATION flood in net/http", "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.21.9" }, { "introduced": "1.22.0-0" }, { "fixed": "1.22.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "CanonicalHeaderKey", "Client.CloseIdleConnections", "Client.Do", "Client.Get", "Client.Head", "Client.Post", "Client.PostForm", "Cookie.String", "Cookie.Valid", "Dir.Open", "Error", "Get", "HandlerFunc.ServeHTTP", "Head", "Header.Add", "Header.Del", "Header.Get", "Header.Set", "Header.Values", "Header.Write", "Header.WriteSubset", "ListenAndServe", "ListenAndServeTLS", "NewRequest", "NewRequestWithContext", "NotFound", "ParseTime", "Post", "PostForm", "ProxyFromEnvironment", "ReadRequest", "ReadResponse", "Redirect", "Request.AddCookie", "Request.BasicAuth", "Request.FormFile", "Request.FormValue", "Request.MultipartReader", "Request.ParseForm", "Request.ParseMultipartForm", "Request.PostFormValue", "Request.Referer", "Request.SetBasicAuth", "Request.UserAgent", "Request.Write", "Request.WriteProxy", "Response.Cookies", "Response.Location", "Response.Write", "ResponseController.EnableFullDuplex", "ResponseController.Flush", "ResponseController.Hijack", "ResponseController.SetReadDeadline", "ResponseController.SetWriteDeadline", "Serve", "ServeContent", "ServeFile", "ServeMux.ServeHTTP", "ServeTLS", "Server.Close", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "Server.SetKeepAlivesEnabled", "Server.Shutdown", "SetCookie", "Transport.CancelRequest", "Transport.Clone", "Transport.CloseIdleConnections", "Transport.RoundTrip", "body.Close", "body.Read", "bodyEOFSignal.Close", "bodyEOFSignal.Read", "bodyLocked.Read", "bufioFlushWriter.Write", "cancelTimerBody.Close", "cancelTimerBody.Read", "checkConnErrorWriter.Write", "chunkWriter.Write", "connReader.Read", "connectMethodKey.String", "expectContinueReader.Close", "expectContinueReader.Read", "extraHeader.Write", "fileHandler.ServeHTTP", "fileTransport.RoundTrip", "globalOptionsHandler.ServeHTTP", "gzipReader.Close", "gzipReader.Read", "http2ClientConn.Close", "http2ClientConn.Ping", "http2ClientConn.RoundTrip", "http2ClientConn.Shutdown", "http2ConnectionError.Error", "http2ErrCode.String", "http2FrameHeader.String", "http2FrameType.String", "http2FrameWriteRequest.String", "http2Framer.ReadFrame", "http2Framer.WriteContinuation", "http2Framer.WriteData", "http2Framer.WriteDataPadded", "http2Framer.WriteGoAway", "http2Framer.WriteHeaders", "http2Framer.WritePing", "http2Framer.WritePriority", "http2Framer.WritePushPromise", "http2Framer.WriteRSTStream", "http2Framer.WriteRawFrame", "http2Framer.WriteSettings", "http2Framer.WriteSettingsAck", "http2Framer.WriteWindowUpdate", "http2Framer.readMetaFrame", "http2GoAwayError.Error", "http2Server.ServeConn", "http2Setting.String", "http2SettingID.String", "http2SettingsFrame.ForeachSetting", "http2StreamError.Error", "http2Transport.CloseIdleConnections", "http2Transport.NewClientConn", "http2Transport.RoundTrip", "http2Transport.RoundTripOpt", "http2bufferedWriter.Flush", "http2bufferedWriter.Write", "http2chunkWriter.Write", "http2clientConnPool.GetClientConn", "http2connError.Error", "http2dataBuffer.Read", "http2duplicatePseudoHeaderError.Error", "http2gzipReader.Close", "http2gzipReader.Read", "http2headerFieldNameError.Error", "http2headerFieldValueError.Error", "http2noDialClientConnPool.GetClientConn", "http2noDialH2RoundTripper.RoundTrip", "http2pipe.Read", "http2priorityWriteScheduler.CloseStream", "http2priorityWriteScheduler.OpenStream", "http2pseudoHeaderError.Error", "http2requestBody.Close", "http2requestBody.Read", "http2responseWriter.Flush", "http2responseWriter.FlushError", "http2responseWriter.Push", "http2responseWriter.SetReadDeadline", "http2responseWriter.SetWriteDeadline", "http2responseWriter.Write", "http2responseWriter.WriteHeader", "http2responseWriter.WriteString", "http2roundRobinWriteScheduler.OpenStream", "http2serverConn.CloseConn", "http2serverConn.Flush", "http2stickyErrWriter.Write", "http2transportResponseBody.Close", "http2transportResponseBody.Read", "http2writeData.String", "initALPNRequest.ServeHTTP", "loggingConn.Close", "loggingConn.Read", "loggingConn.Write", "maxBytesReader.Close", "maxBytesReader.Read", "onceCloseListener.Close", "persistConn.Read", "persistConnWriter.ReadFrom", "persistConnWriter.Write", "populateResponse.Write", "populateResponse.WriteHeader", "readTrackingBody.Close", "readTrackingBody.Read", "readWriteCloserBody.Read", "redirectHandler.ServeHTTP", "response.Flush", "response.FlushError", "response.Hijack", "response.ReadFrom", "response.Write", "response.WriteHeader", "response.WriteString", "serverHandler.ServeHTTP", "socksDialer.DialWithConn", "socksUsernamePassword.Authenticate", "stringWriter.WriteString", "timeoutHandler.ServeHTTP", "timeoutWriter.Write", "timeoutWriter.WriteHeader", "transportReadFromServerError.Error" ] } ] } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.23.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "Framer.readMetaFrame", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteScheduler.CloseStream", "priorityWriteScheduler.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "roundRobinWriteScheduler.OpenStream", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "writeData.String" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/65051" }, { "type": "FIX", "url": "https://go.dev/cl/576155" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" } ], "credits": [ { "name": "Bartek Nowotarski (https://nowotarski.info/)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2687", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-3333", "modified": "2024-12-20T20:37:27Z", "published": "2024-12-18T20:22:06Z", "aliases": [ "CVE-2024-45338", "GHSA-w32m-9786-jp63" ], "summary": "Non-linear parsing of case-insensitive content in golang.org/x/net/html", "details": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.33.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions", "htmlIntegrationPoint", "inBodyIM", "inTableIM", "parseDoctype" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/637536" }, { "type": "REPORT", "url": "https://go.dev/issue/70906" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3333", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3503", "modified": "2025-03-12T18:17:07Z", "published": "2025-03-12T18:17:07Z", "aliases": [ "CVE-2025-22870" ], "summary": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", "details": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.36.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http/httpproxy", "symbols": [ "config.useProxy", "domainMatch.match" ] }, { "path": "golang.org/x/net/proxy", "symbols": [ "Dial", "FromEnvironment", "FromEnvironmentUsing", "PerHost.AddFromString", "PerHost.Dial", "PerHost.DialContext", "PerHost.dialerForRequest" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/654697" }, { "type": "REPORT", "url": "https://go.dev/issue/71984" } ], "credits": [ { "name": "Juho Forsén of Mattermost" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3503", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3595", "modified": "2025-04-16T16:54:55Z", "published": "2025-04-16T16:54:55Z", "aliases": [ "CVE-2025-22872" ], "summary": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", "details": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.38.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions", "Tokenizer.Next", "Tokenizer.readStartTag" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/662715" }, { "type": "REPORT", "url": "https://go.dev/issue/73070" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA" } ], "credits": [ { "name": "Sean Ng (https://ensy.zip)" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3595", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4440", "modified": "2026-02-05T17:23:14Z", "published": "2026-02-05T17:23:14Z", "aliases": [ "CVE-2025-47911" ], "summary": "Quadratic parsing complexity in golang.org/x/net/html", "details": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.45.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions", "parser.parse" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/709876" }, { "type": "REPORT", "url": "https://github.com/golang/vulndb/issues/4440" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c" } ], "credits": [ { "name": "Guido Vranken" }, { "name": "Jakub Ciolek" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4440", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4441", "modified": "2026-02-05T17:23:17Z", "published": "2026-02-05T17:23:17Z", "aliases": [ "CVE-2025-58190" ], "summary": "Infinite parsing loop in golang.org/x/net", "details": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.45.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/html", "symbols": [ "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions", "inRowIM" ] } ] } } ], "references": [ { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c" }, { "type": "REPORT", "url": "https://github.com/golang/vulndb/issues/4441" }, { "type": "FIX", "url": "https://go.dev/cl/709875" } ], "credits": [ { "name": "Guido Vranken" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4441", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2026-4559", "modified": "2026-02-26T18:24:17Z", "published": "2026-02-26T18:24:17Z", "aliases": [ "CVE-2026-27141" ], "summary": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net", "details": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic", "affected": [ { "package": { "name": "golang.org/x/net", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.50.0" }, { "fixed": "0.51.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "ClientConn.Close", "ClientConn.Ping", "ClientConn.RoundTrip", "ClientConn.Shutdown", "ConfigureServer", "ConfigureTransport", "ConfigureTransports", "ConnectionError.Error", "ErrCode.String", "FrameHeader.String", "FrameType.String", "FrameWriteRequest.String", "Framer.ReadFrame", "Framer.ReadFrameForHeader", "Framer.ReadFrameHeader", "Framer.WriteContinuation", "Framer.WriteData", "Framer.WriteDataPadded", "Framer.WriteGoAway", "Framer.WriteHeaders", "Framer.WritePing", "Framer.WritePriority", "Framer.WritePriorityUpdate", "Framer.WritePushPromise", "Framer.WriteRSTStream", "Framer.WriteRawFrame", "Framer.WriteSettings", "Framer.WriteSettingsAck", "Framer.WriteWindowUpdate", "GoAwayError.Error", "ReadFrameHeader", "Server.ServeConn", "Setting.String", "SettingID.String", "SettingsFrame.ForeachSetting", "StreamError.Error", "Transport.CloseIdleConnections", "Transport.NewClientConn", "Transport.RoundTrip", "Transport.RoundTripOpt", "bufferedWriter.Flush", "bufferedWriter.Write", "bufferedWriterTimeoutWriter.Write", "chunkWriter.Write", "clientConnPool.GetClientConn", "connError.Error", "dataBuffer.Read", "duplicatePseudoHeaderError.Error", "gzipReader.Close", "gzipReader.Read", "headerFieldNameError.Error", "headerFieldValueError.Error", "netHTTPClientConn.Close", "netHTTPClientConn.RoundTrip", "noDialClientConnPool.GetClientConn", "noDialH2RoundTripper.NewClientConn", "noDialH2RoundTripper.RoundTrip", "pipe.Read", "priorityWriteSchedulerRFC7540.CloseStream", "priorityWriteSchedulerRFC7540.OpenStream", "priorityWriteSchedulerRFC9218.OpenStream", "pseudoHeaderError.Error", "requestBody.Close", "requestBody.Read", "responseWriter.Flush", "responseWriter.FlushError", "responseWriter.Push", "responseWriter.SetReadDeadline", "responseWriter.SetWriteDeadline", "responseWriter.Write", "responseWriter.WriteHeader", "responseWriter.WriteString", "roundRobinWriteScheduler.OpenStream", "serverConn.CloseConn", "serverConn.Flush", "stickyErrWriter.Write", "transportResponseBody.Close", "transportResponseBody.Read", "typeFrameParser", "unencryptedTransport.RoundTrip", "writeData.String" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141" }, { "type": "FIX", "url": "https://go.dev/cl/746180" }, { "type": "REPORT", "url": "https://go.dev/issue/77652" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-4559", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2025-3553", "modified": "2025-04-08T21:04:08Z", "published": "2025-03-26T17:24:24Z", "aliases": [ "CVE-2025-30204", "GHSA-mh63-6h87-95cp" ], "summary": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt", "details": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt", "affected": [ { "package": { "name": "github.com/golang-jwt/jwt", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": {} }, { "package": { "name": "github.com/golang-jwt/jwt/v4", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.5.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/golang-jwt/jwt/v4", "symbols": [ "Parser.ParseUnverified" ] } ] } }, { "package": { "name": "github.com/golang-jwt/jwt/v5", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.0.0-rc.1" }, { "fixed": "5.2.2" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/golang-jwt/jwt/v5", "symbols": [ "Parser.ParseUnverified" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp" }, { "type": "FIX", "url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2025-3553", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2023-1631", "modified": "2024-05-20T16:03:47Z", "published": "2023-03-14T16:47:00Z", "aliases": [ "CVE-2023-24535", "GHSA-hw7c-3rfg-p46j" ], "summary": "Panic when parsing invalid messages in google.golang.org/protobuf", "details": "Parsing invalid messages can panic.\n\nParsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.", "affected": [ { "package": { "name": "google.golang.org/protobuf", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.29.0" }, { "fixed": "1.29.1" } ] } ], "ecosystem_specific": { "imports": [ { "path": "google.golang.org/protobuf/encoding/prototext", "symbols": [ "Unmarshal", "UnmarshalOptions.Unmarshal", "UnmarshalOptions.unmarshal" ] }, { "path": "google.golang.org/protobuf/internal/encoding/text", "symbols": [ "Decoder.Peek", "Decoder.Read", "parseNumber" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/475995" }, { "type": "REPORT", "url": "https://github.com/golang/protobuf/issues/1530" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1631", "review_status": "REVIEWED" } } } { "osv": { "schema_version": "1.3.1", "id": "GO-2024-2611", "modified": "2024-05-20T16:03:47Z", "published": "2024-03-05T20:24:05Z", "aliases": [ "CVE-2024-24786", "GHSA-8r3f-844c-mc37" ], "summary": "Infinite loop in JSON unmarshaling in google.golang.org/protobuf", "details": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", "affected": [ { "package": { "name": "google.golang.org/protobuf", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.33.0" } ] } ], "ecosystem_specific": { "imports": [ { "path": "google.golang.org/protobuf/encoding/protojson", "symbols": [ "Unmarshal", "UnmarshalOptions.Unmarshal", "UnmarshalOptions.unmarshal" ] }, { "path": "google.golang.org/protobuf/internal/encoding/json", "symbols": [ "Decoder.Peek", "Decoder.Read" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://go.dev/cl/569356" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2611", "review_status": "REVIEWED" } } } { "progress": { "message": "Checking the code against the vulnerabilities..." } } { "finding": { "osv": "GO-2025-3488", "fixed_version": "v0.27.0", "trace": [ { "module": "golang.org/x/oauth2", "version": "v0.18.0" } ] } } { "finding": { "osv": "GO-2025-3553", "fixed_version": "v5.2.2", "trace": [ { "module": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1" } ] } } { "finding": { "osv": "GO-2025-3553", "fixed_version": "v5.2.2", "trace": [ { "module": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1", "package": "github.com/golang-jwt/jwt/v5" } ] } } { "finding": { "osv": "GO-2025-3553", "fixed_version": "v5.2.2", "trace": [ { "module": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1", "package": "github.com/golang-jwt/jwt/v5", "function": "ParseUnverified", "receiver": "*Parser", "position": { "filename": "parser.go", "offset": 4097, "line": 138, "column": 18 } }, { "module": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1", "package": "github.com/golang-jwt/jwt/v5", "function": "ParseWithClaims", "receiver": "*Parser", "position": { "filename": "parser.go", "offset": 1766, "line": 56, "column": 40 } }, { "module": "github.com/golang-jwt/jwt/v5", "version": "v5.2.1", "package": "github.com/golang-jwt/jwt/v5", "function": "ParseWithClaims", "position": { "filename": "parser.go", "offset": 7942, "line": 237, "column": 46 } }, { "module": "github.com/user-management-system", "package": "github.com/user-management-system/internal/auth", "function": "ParseToken", "receiver": "*JWT", "position": { "filename": "internal/auth/jwt.go", "offset": 9631, "line": 361, "column": 35 } } ] } }