Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Go standard library — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Go standard library. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Go standard library provides essential built-in packages for networking, cryptography, and system interaction, serving as the foundational runtime for millions of applications. Despite its robust design, it has recorded approximately 100 Common Vulnerabilities and Exposures (CVEs), primarily stemming from logic errors in parsing or concurrency handling rather than complex exploitation chains. Historically, common vulnerability classes include denial-of-service conditions via malformed input, race conditions in concurrent data structures, and occasional remote code execution flaws within specific subsystems like HTTP servers or crypto implementations. Notable incidents often involve improper validation leading to memory corruption or information disclosure. While the library is generally secure, its widespread adoption means even minor flaws can impact a vast ecosystem. Developers must remain vigilant about patching updates, as the standard library’s central role amplifies the risk of any discovered defect affecting dependent software infrastructure.

Top products by Go standard library: net/http crypto/x509 html/template crypto/tls path/filepath net/mail net/url archive/tar net net/textproto os go/parser archive/zip net/http/internal crypto/internal/nistec mime/multipart syscall encoding/gob encoding/xml os/exec net/http/httputil internal/syscall/unix encoding/pem encoding/asn1 database/sql go/build/constraint net/netip io/fs compress/gzip runtime
CVE IDTitleCVSSSeverityPublished
CVE-2026-39820 Quadratic string concatentation in consumeComment in net/mail — net/mail 7.5AIHighAI2026-05-07
CVE-2026-39823 Bypass of meta content URL escaping causes XSS in html/template — html/template 6.1AIMediumAI2026-05-07
CVE-2026-33811 Crash when handling long CNAME response in net — net 7.5AIHighAI2026-05-07
CVE-2026-39826 Escaper bypass leads to XSS in html/template — html/template 5.0AIMediumAI2026-05-07
CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail — net/mail 7.5AIHighAI2026-05-07
CVE-2026-39825 ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil — net/http/httputil 5.3AIMediumAI2026-05-07
CVE-2026-39836 Panic in Dial and LookupPort when handling NUL byte on Windows in net — net 7.5AIHighAI2026-05-07
CVE-2026-32280 Unexpected work during chain building in crypto/x509 — crypto/x509 7.5AIHighAI2026-04-08
CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls — crypto/tls 7.5AIHighAI2026-04-08
CVE-2026-32281 Inefficient policy validation in crypto/x509 — crypto/x509 7.5AIHighAI2026-04-08
CVE-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509 — crypto/x509 6.5AIMediumAI2026-04-08
CVE-2026-32288 Unbounded allocation for old GNU sparse in archive/tar — archive/tar 6.2AIMediumAI2026-04-08
CVE-2026-32289 JsBraceDepth Context Tracking Bugs (XSS) in html/template — html/template 6.1AIMediumAI2026-04-08
CVE-2026-32282 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix — internal/syscall/unix 7.7AIHighAI2026-04-08
CVE-2026-27142 URLs in meta content attribute actions are not escaped in html/template — html/template 6.1 -2026-03-06
CVE-2026-27139 FileInfo can escape from a Root in os — os 4.0 -2026-03-06
CVE-2026-27137 Incorrect enforcement of email constraints in crypto/x509 — crypto/x509 5.3 -2026-03-06
CVE-2026-27138 Panic in name constraint checking for malformed certificates in crypto/x509 — crypto/x509 7.5 -2026-03-06
CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url — net/url 5.3 -2026-03-06
CVE-2025-68121 Unexpected session resumption in crypto/tls — crypto/tls 5.4AIMediumAI2026-02-05
CVE-2025-22873 Improper access to parent directory of root in os — os 7.5AIHighAI2026-02-04
CVE-2025-61726 Memory exhaustion in query parameter parsing in net/url — net/url 7.5AIHighAI2026-01-28
CVE-2025-61730 Handshake messages may be processed at the incorrect encryption level in crypto/tls — crypto/tls 3.3AILowAI2026-01-28
CVE-2025-61728 Excessive CPU consumption when building archive index in archive/zip — archive/zip 6.2AIMediumAI2026-01-28
CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 — crypto/x509 9.8AICriticalAI2025-12-03
CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 — crypto/x509 7.5AIHighAI2025-12-02
CVE-2025-61724 Excessive CPU consumption in Reader.ReadResponse in net/textproto — net/textproto 7.5AIHighAI2025-10-29
CVE-2025-58183 Unbounded allocation when parsing GNU sparse map in archive/tar — archive/tar 8.1AIHighAI2025-10-29
CVE-2025-58185 Parsing DER payload can cause memory exhaustion in encoding/asn1 — encoding/asn1 6.2AIMediumAI2025-10-29
CVE-2025-58188 Panic when validating certificates with DSA public keys in crypto/x509 — crypto/x509 7.5AIHighAI2025-10-29

This page lists every published CVE security advisory associated with Go standard library. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.