GO-2026-5024 Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString a 16-bit number of bytes, it returns a truncated string rather than an error...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

CLSA-2025-1766138358 Update of golang

Update to Go 1.25.3...

Eclipse Paho Go MQTT v3.1 library 安全漏洞

Eclipse Paho Go MQTT v3.1 library is a Go language software library from the Eclipse Foundation. A security vulnerability exists in Eclipse Paho Go MQTT v3.1 library version 1.5.0 and prior versions, which originates from an overflow during unchecked data-length conversion and could lead to the...

PT-2025-45412

Name of the Vulnerable Software and Affected Versions archives version 1.0.0 Description archives is a Go library used for extracting archives such as tar and zip files. Version 1.0.0 does not adequately prevent a malicious user from providing a specially crafted archive that could lead to Remote...

Improper Encoding or Escaping of Output

Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Go Vulnerability Report:When Conn.Handshake fails during ALPN negotiation, the error contains attacker-controlled information the AL...

Linux Distros Unpatched Vulnerability : CVE-2018-17419

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in setTA in scanrr.go in the Miek Gieben DNS library before 1.0.10 for Go. A dns.ParseZone parsing error causes a segmentation violation...

Sensitive headers not cleared on cross-origin redirect in net/http

...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

CVE-2023-50424

SAP BTP Security Services Integration Library Golang github.com/sap/cloud-security-client-go - versions 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

Timing Attack

Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to Timing Attack. Go Vulnerability Report: via the crypto/tls process. An attacker can recover session key bits by exploiting timing information leaked during the removal of...

AZL-37418 CVE-2023-29406 affecting package golang for versions less than 1.21.6-1

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value...

AZL-41469 CVE-2021-38561 affecting package cni for versions less than 1.1.2-2

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack...

golang: encoding/pem: fix stack overflow in Decode

A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input more than 5 MB, causing a stack overflow in Decode, which leads to a loss of availability...

GJSON Denial of Service Vulnerability (CNVD-2021-04422)

GJSON is a Go package that provides a fast and easy way to get values from json documents. A denial of service vulnerability exists in GJSON versions prior to 1.6.5. An attacker can exploit this vulnerability to cause a denial of service via specially crafted JSON...