Filtered by vendor Golang
Subscribe
Total
161 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58187 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-58188 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-58189 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | |||||
| CVE-2025-61723 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | |||||
| CVE-2025-61724 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | |||||
| CVE-2025-47912 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. | |||||
| CVE-2025-58185 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. | |||||
| CVE-2025-47906 | 1 Golang | 1 Go | 2026-01-27 | N/A | 6.5 MEDIUM |
| If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | |||||
| CVE-2025-61729 | 1 Golang | 1 Go | 2025-12-19 | N/A | 7.5 HIGH |
| Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | |||||
| CVE-2025-61727 | 1 Golang | 1 Go | 2025-12-18 | N/A | 6.5 MEDIUM |
| An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | |||||
| CVE-2025-47914 | 1 Golang | 1 Crypto | 2025-12-11 | N/A | 5.3 MEDIUM |
| SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | |||||
| CVE-2025-58181 | 1 Golang | 1 Crypto | 2025-12-11 | N/A | 5.3 MEDIUM |
| SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | |||||
| CVE-2024-3566 | 7 Golang, Haskell, Microsoft and 4 more | 7 Go, Process Library, Windows and 4 more | 2025-11-18 | N/A | 9.8 CRITICAL |
| A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | |||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 313 Http Server, Opensearch Data Prepper, Apisix and 310 more | 2025-11-07 | N/A | 7.5 HIGH |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |||||
| CVE-2023-48795 | 42 9bis, Apache, Apple and 39 more | 68 Kitty, Sshd, Sshj and 65 more | 2025-11-04 | N/A | 5.9 MEDIUM |
| The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | |||||
| CVE-2020-0601 | 2 Golang, Microsoft | 14 Go, Windows, Windows 10 1507 and 11 more | 2025-10-29 | 5.8 MEDIUM | 8.1 HIGH |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
| CVE-2022-30631 | 1 Golang | 1 Go | 2025-10-20 | N/A | 7.5 HIGH |
| Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | |||||
| CVE-2025-0913 | 2 Golang, Microsoft | 2 Go, Windows | 2025-08-08 | N/A | 5.5 MEDIUM |
| os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. | |||||
| CVE-2023-39323 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2025-06-12 | N/A | 8.1 HIGH |
| Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. | |||||
| CVE-2022-32149 | 1 Golang | 1 Text | 2025-05-15 | N/A | 7.5 HIGH |
| An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | |||||