Golang Go vulnerabilities
168 known vulnerabilities affecting golang/go.
Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3
Vulnerabilities
Page 2 of 9
CVE-2024-24790P3CRITICALCVSS 9.8fixed in 1.21.11≥ 1.22.0, < 1.22.42024-06-05
CVE-2024-24790 [CRITICAL] CVE-2024-24790: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 ad
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
nvd
CVE-2018-16874P3HIGHCVSS 8.1fixed in 1.10.6≥ 1.11.0, < 1.11.32018-12-14
CVE-2018-16874 [HIGH] CWE-20 CVE-2018-16874: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traver
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cm
nvd
CVE-2015-5740P3CRITICALCVSS 9.8≤ 1.4.22017-10-18
CVE-2015-5740 [CRITICAL] CWE-444 CVE-2015-5740: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
nvd
CVE-2018-6574P3HIGHCVSS 7.8≤ 1.8.6v1.9+4 more2018-02-07
CVE-2018-6574 [HIGH] CWE-94 CVE-2018-6574: Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" re
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
nvd
CVE-2025-61726P3HIGHCVSS 7.5fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-61726 [HIGH] CWE-770 CVE-2025-61726: The net/url package does not set a limit on the number of query parameters in a query. While the max
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memo
nvd
CVE-2022-23806P3CRITICALCVSS 9.1fixed in 1.16.14≥ 1.17.0, < 1.17.72022-02-11
CVE-2022-23806 [CRITICAL] CWE-252 CVE-2022-23806: Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly ret
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
nvd
CVE-2021-29923P3HIGHCVSS 7.5fixed in 1.172021-08-07
CVE-2021-29923 [HIGH] CVE-2021-29923: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP addre
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
nvd
CVE-2023-45283P3HIGHCVSS 7.5fixed in 1.20.11≥ 1.21.0-0, < 1.21.42023-11-09
CVE-2023-45283 [HIGH] CWE-22 CVE-2023-45283: The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path begi
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix,
nvd
CVE-2019-11888P3CRITICALCVSS 9.8≤ 1.12.52019-05-13
CVE-2019-11888 [CRITICAL] CWE-269 CVE-2019-11888: Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
nvd
CVE-2026-42501P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-42501 [HIGH] CWE-347 CVE-2026-42501: A malicious module proxy can exploit a flaw in the go command's validation of module checksums to by
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different versi
nvd
CVE-2025-61732P3HIGHCVSS 8.6fixed in 1.24.13≥ 1.25.0, < 1.25.72026-02-05
CVE-2025-61732 [HIGH] CWE-94 CVE-2025-61732: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resu
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
nvd
CVE-2025-4674P3HIGHCVSS 8.6fixed in 1.23.11≥ 1.24.0, < 1.24.52025-07-29
CVE-2025-4674 [HIGH] CWE-73 CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This oc
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line,
nvd
CVE-2020-28367P3HIGHCVSS 7.5fixed in 1.14.12≥ 1.15, < 1.15.52020-11-18
CVE-2020-28367 [HIGH] CWE-94 CVE-2020-28367: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
nvd
CVE-2012-2666P3CRITICALCVSS 9.8v1.0.22021-07-09
CVE-2012-2666 [CRITICAL] CWE-377 CVE-2012-2666: golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.g
golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.
nvd
CVE-2025-61731P3HIGHCVSS 7.8fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-61731 [HIGH] CWE-88 CVE-2025-61731: Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file wit
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to
nvd
CVE-2019-16276P3HIGHCVSS 7.5fixed in 1.12.10≥ 1.13, < 1.13.12019-09-30
CVE-2019-16276 [HIGH] CWE-444 CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
nvd
CVE-2023-39325P3HIGHCVSS 7.5≥ 1.20.0, < 1.20.10≥ 1.21.0, < 1.21.32023-10-11
CVE-2023-39325 [HIGH] CWE-770 CVE-2023-39325: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause exces
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. Wit
nvd
CVE-2026-33810P3HIGHCVSS 8.2≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-33810 [HIGH] CWE-295 CVE-2026-33810: When verifying a certificate chain containing excluded DNS constraints, these constraints are not co
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
nvd
CVE-2023-24540P3CRITICALCVSS 9.8fixed in 1.19.9≥ 1.20.0, < 1.20.42023-05-11
CVE-2023-24540 [CRITICAL] CWE-77 CVE-2023-24540: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
nvd
CVE-2022-24675P3HIGHCVSS 7.5fixed in 1.17.9≥ 1.18.0, < 1.18.12022-04-20
CVE-2022-24675 [HIGH] CWE-674 CVE-2022-24675: encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large am
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
nvd