Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Go standard library — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Go standard library. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Go standard library provides essential built-in packages for networking, cryptography, and system interaction, serving as the foundational runtime for millions of applications. Despite its robust design, it has recorded approximately 100 Common Vulnerabilities and Exposures (CVEs), primarily stemming from logic errors in parsing or concurrency handling rather than complex exploitation chains. Historically, common vulnerability classes include denial-of-service conditions via malformed input, race conditions in concurrent data structures, and occasional remote code execution flaws within specific subsystems like HTTP servers or crypto implementations. Notable incidents often involve improper validation leading to memory corruption or information disclosure. While the library is generally secure, its widespread adoption means even minor flaws can impact a vast ecosystem. Developers must remain vigilant about patching updates, as the standard library’s central role amplifies the risk of any discovered defect affecting dependent software infrastructure.

Top products by Go standard library: net/http crypto/x509 html/template crypto/tls path/filepath net/mail net/url archive/tar net net/textproto os go/parser archive/zip net/http/internal crypto/internal/nistec mime/multipart syscall encoding/gob encoding/xml os/exec net/http/httputil internal/syscall/unix encoding/pem encoding/asn1 database/sql go/build/constraint net/netip io/fs compress/gzip runtime
CVE IDTitleCVSSSeverityPublished
CVE-2023-45290 Memory exhaustion in multipart form parsing in net/textproto and net/http — net/textproto 7.5AIHighAI2024-03-05
CVE-2024-24783 Verify panics on certificates with an unknown public key algorithm in crypto/x509 — crypto/x509 7.5AIHighAI2024-03-05
CVE-2023-39326 Denial of service via chunk extensions in net/http — net/http/internal 7.5 -2023-12-06
CVE-2023-45287 Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel — crypto/tls 5.9 -2023-12-05
CVE-2023-45284 Incorrect detection of reserved device names on Windows in path/filepath — path/filepath 4.3 -2023-11-09
CVE-2023-45283 Insecure parsing of Windows paths with a \??\ prefix in path/filepath — path/filepath 9.1 -2023-11-09
CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http — net/http 7.5 -2023-10-11
CVE-2023-39322 Memory exhaustion in QUIC connection handling in crypto/tls — crypto/tls 7.5 -2023-09-08
CVE-2023-39321 Panic when processing post-handshake message on QUIC connections in crypto/tls — crypto/tls 7.5 -2023-09-08
CVE-2023-39319 Improper handling of special tags within script contexts in html/template — html/template 6.1 -2023-09-08
CVE-2023-39318 Improper handling of HTML-like comments in script contexts in html/template — html/template 6.1 -2023-09-08
CVE-2023-29409 Large RSA keys can cause high CPU usage in crypto/tls — crypto/tls 7.5 -2023-08-02
CVE-2023-29406 Insufficient sanitization of Host header in net/http — net/http 7.5 -2023-07-11
CVE-2023-29403 Unsafe behavior in setuid/setgid binaries in runtime — runtime 7.8 -2023-06-08
CVE-2023-24539 Improper sanitization of CSS values in html/template — html/template 7.2 -2023-05-11
CVE-2023-24540 Improper handling of JavaScript whitespace in html/template — html/template 9.8 -2023-05-11
CVE-2023-29400 Improper handling of empty HTML attributes in html/template — html/template 5.3 -2023-05-11
CVE-2023-24537 Infinite loop in parsing in go/scanner — go/scanner 7.5 -2023-04-06
CVE-2023-24538 Backticks not treated as string delimiters in html/template — html/template 10.0 -2023-04-06
CVE-2023-24534 Excessive memory allocation in net/http and net/textproto — net/textproto 7.5 -2023-04-06
CVE-2023-24536 Excessive resource consumption in net/http, net/textproto and mime/multipart — mime/multipart 7.5 -2023-04-06
CVE-2023-24532 Incorrect calculation on P256 curves in crypto/internal/nistec — crypto/internal/nistec 6.5 -2023-03-08
CVE-2022-41723 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net — net/http 7.5 -2023-02-28
CVE-2022-41724 Panic on large handshake records in crypto/tls — crypto/tls 7.5 -2023-02-28
CVE-2022-41725 Excessive resource consumption in mime/multipart — mime/multipart 7.5 -2023-02-28
CVE-2022-41722 Path traversal on Windows in path/filepath — path/filepath 7.5 -2023-02-28
CVE-2022-41717 Excessive memory growth in net/http and golang.org/x/net/http2 — net/http 5.3 -2022-12-08
CVE-2022-41720 Restricted file access on Windows in os and net/http — os 7.1 -2022-12-07
CVE-2022-41716 Unsanitized NUL in environment variables on Windows in syscall and os/exec — syscall 9.1 -2022-11-02
CVE-2022-2879 Unbounded memory consumption when reading headers in archive/tar — archive/tar 6.5 -2022-10-14

This page lists every published CVE security advisory associated with Go standard library. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.