Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Go standard library — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Go standard library. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Go standard library provides essential built-in packages for networking, cryptography, and system interaction, serving as the foundational runtime for millions of applications. Despite its robust design, it has recorded approximately 100 Common Vulnerabilities and Exposures (CVEs), primarily stemming from logic errors in parsing or concurrency handling rather than complex exploitation chains. Historically, common vulnerability classes include denial-of-service conditions via malformed input, race conditions in concurrent data structures, and occasional remote code execution flaws within specific subsystems like HTTP servers or crypto implementations. Notable incidents often involve improper validation leading to memory corruption or information disclosure. While the library is generally secure, its widespread adoption means even minor flaws can impact a vast ecosystem. Developers must remain vigilant about patching updates, as the standard library’s central role amplifies the risk of any discovered defect affecting dependent software infrastructure.

Top products by Go standard library: net/http crypto/x509 html/template crypto/tls path/filepath net/mail net/url archive/tar net net/textproto os go/parser archive/zip net/http/internal crypto/internal/nistec mime/multipart syscall encoding/gob encoding/xml os/exec net/http/httputil internal/syscall/unix encoding/pem encoding/asn1 database/sql go/build/constraint net/netip io/fs compress/gzip runtime
CVE IDTitleCVSSSeverityPublished
CVE-2022-2880 Incorrect sanitization of forwarded query parameters in net/http/httputil — net/http/httputil 5.3 -2022-10-14
CVE-2022-41715 Memory exhaustion when compiling regular expressions in regexp/syntax — regexp/syntax 7.5 -2022-10-14
CVE-2022-32190 Failure to strip relative path components in net/url — net/url 7.5 -2022-09-13
CVE-2022-32148 Exposure of client IP addresses in net/http — net/http--2022-08-09
CVE-2022-1962 Stack exhaustion due to deeply nested types in go/parser — go/parser 6.2 -2022-08-09
CVE-2022-30580 Empty Cmd.Path can trigger unintended binary in os/exec on Windows — os/exec 8.4 -2022-08-09
CVE-2022-32189 Panic when decoding Float and Rat types in math/big — math/big 7.5 -2022-08-09
CVE-2022-30629 Session tickets lack random ticket_age_add in crypto/tls — crypto/tls 5.3 -2022-08-09
CVE-2022-30630 Stack exhaustion in Glob on certain paths in io/fs — io/fs 7.5 -2022-08-09
CVE-2022-1705 Improper sanitization of Transfer-Encoding headers in net/http — net/http 6.5 -2022-08-09
CVE-2022-30631 Stack exhaustion when reading certain archives in compress/gzip — compress/gzip 7.5 -2022-08-09
CVE-2022-30633 Stack exhaustion when unmarshaling certain documents in encoding/xml — encoding/xml 7.5 -2022-08-09
CVE-2022-30635 Stack exhaustion when decoding certain messages in encoding/gob — encoding/gob 7.5 -2022-08-09
CVE-2022-30632 Stack exhaustion on crafted paths in path/filepath — path/filepath 7.5 -2022-08-09
CVE-2022-28131 Stack exhaustion from deeply nested XML documents in encoding/xml — encoding/xml 7.5 -2022-08-09
CVE-2022-29804 Path traversal via Clean on Windows in path/filepath — path/filepath 7.5 -2022-08-09
CVE-2022-30634 Indefinite hang with large buffers on Windows in crypto/rand — crypto/rand 7.5 -2022-07-15

This page lists every published CVE security advisory associated with Go standard library. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.