AZL-77064 CVE-2025-58190 affecting package packer 1.9.5-11

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

AZL-77067 CVE-2025-47911 affecting package packer 1.9.5-11

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

AZL-55079 CVE-2025-21614 affecting package packer for versions less than 1.9.5-7

go-git is a highly extensible git implementation library written in pure Go. A denial of service DoS vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git serve...

AZL-52189 CVE-2024-51744 affecting package packer for versions less than 1.9.5-9

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

AZL-33330 CVE-2023-39325 affecting package packer for versions less than 1.8.7-2

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...