Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Go standard library — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Go standard library. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Go standard library provides essential built-in packages for networking, cryptography, and system interaction, serving as the foundational runtime for millions of applications. Despite its robust design, it has recorded approximately 100 Common Vulnerabilities and Exposures (CVEs), primarily stemming from logic errors in parsing or concurrency handling rather than complex exploitation chains. Historically, common vulnerability classes include denial-of-service conditions via malformed input, race conditions in concurrent data structures, and occasional remote code execution flaws within specific subsystems like HTTP servers or crypto implementations. Notable incidents often involve improper validation leading to memory corruption or information disclosure. While the library is generally secure, its widespread adoption means even minor flaws can impact a vast ecosystem. Developers must remain vigilant about patching updates, as the standard library’s central role amplifies the risk of any discovered defect affecting dependent software infrastructure.

Top products by Go standard library: net/http crypto/x509 html/template crypto/tls path/filepath net/mail net/url archive/tar net net/textproto os go/parser archive/zip net/http/internal crypto/internal/nistec mime/multipart syscall encoding/gob encoding/xml os/exec net/http/httputil internal/syscall/unix encoding/pem encoding/asn1 database/sql go/build/constraint net/netip io/fs compress/gzip runtime
CVE IDTitleCVSSSeverityPublished
CVE-2025-58185 Parsing DER payload can cause memory exhaustion in encoding/asn1 — encoding/asn1 6.2AIMediumAI2025-10-29
CVE-2025-58187 Quadratic complexity when checking name constraints in crypto/x509 — crypto/x509 5.3AIMediumAI2025-10-29
CVE-2025-58189 ALPN negotiation error contains attacker controlled information in crypto/tls — crypto/tls 7.5AIHighAI2025-10-29
CVE-2025-47912 Insufficient validation of bracketed IPv6 hostnames in net/url — net/url--AI2025-10-29
CVE-2025-61723 Quadratic complexity when parsing some invalid inputs in encoding/pem — encoding/pem 7.5AIHighAI2025-10-29
CVE-2025-61725 Excessive CPU consumption in ParseAddress in net/mail — net/mail 7.5AIHighAI2025-10-29
CVE-2025-47910 CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http — net/http 7.5AIHighAI2025-09-22
CVE-2025-47906 Unexpected paths returned from LookPath in os/exec — os/exec 7.5AIHighAI2025-09-18
CVE-2025-47907 Incorrect results returned from Rows.Scan in database/sql — database/sql 5.3AIMediumAI2025-08-07
CVE-2024-8244 Walk/WalkDir in path/filepath susceptible to symlink race — path/filepath 4.7 -2025-08-06
CVE-2025-0913 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall — syscall--AI2025-06-11
CVE-2025-22874 Usage of ExtKeyUsageAny disables policy validation in crypto/x509 — crypto/x509 6.5AIMediumAI2025-06-11
CVE-2025-4673 Sensitive headers not cleared on cross-origin redirect in net/http — net/http 6.5AIMediumAI2025-06-11
CVE-2025-22871 Request smuggling due to acceptance of invalid chunked data in net/http — net/http/internal 9.1AICriticalAI2025-04-08
CVE-2025-22870 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net — net/http 5.3 -2025-03-12
CVE-2025-22866 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec — crypto/internal/nistec 7.5 -2025-02-06
CVE-2025-22865 ParsePKCS1PrivateKey panic with partial keys in crypto/x509 — crypto/x509 7.5 -2025-01-28
CVE-2024-45336 Sensitive headers incorrectly sent after cross-domain redirect in net/http — net/http 8.2 -2025-01-28
CVE-2024-45341 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 — crypto/x509 5.3 -2025-01-28
CVE-2024-34158 Stack exhaustion in Parse in go/build/constraint — go/build/constraint 7.5 -2024-09-06
CVE-2024-34156 Stack exhaustion in Decoder.Decode in encoding/gob — encoding/gob 7.5 -2024-09-06
CVE-2024-34155 Stack exhaustion in all Parse functions in go/parser — go/parser 7.5 -2024-09-06
CVE-2024-24791 Denial of service due to improper 100-continue handling in net/http — net/http 7.5AIHighAI2024-07-02
CVE-2024-24789 Mishandling of corrupt central directory record in archive/zip — archive/zip 5.3AIMediumAI2024-06-05
CVE-2024-24790 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip — net/netip--AI2024-06-05
CVE-2024-24788 Malformed DNS message can cause infinite loop in net — net 7.5AIHighAI2024-05-08
CVE-2023-45288 HTTP/2 CONTINUATION flood in net/http — net/http 7.5 -2024-04-04
CVE-2024-24785 Errors returned from JSON marshaling may break template escaping in html/template — html/template 5.3AIMediumAI2024-03-05
CVE-2024-24784 Comments in display names are incorrectly handled in net/mail — net/mail 7.5AIHighAI2024-03-05
CVE-2023-45289 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http — net/http 7.1AIHighAI2024-03-05

This page lists every published CVE security advisory associated with Go standard library. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.