Golang Go vulnerabilities
168 known vulnerabilities affecting golang/go.
Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3
Vulnerabilities
Page 4 of 9
CVE-2026-25679P3HIGHCVSS 7.5fixed in 1.25.8v1.26.02026-03-06
CVE-2026-25679 [HIGH] CWE-425 CVE-2026-25679: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
nvd
CVE-2025-61723P3HIGHCVSS 7.5fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-61723 [HIGH] CWE-770 CVE-2025-61723: The processing time for parsing some invalid inputs scales non-linearly with respect to the size of
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
nvd
CVE-2025-58187P3HIGHCVSS 7.5fixed in 1.24.9≥ 1.25.0, < 1.25.32025-10-29
CVE-2025-58187 [HIGH] CWE-407 CVE-2025-58187: Due to the design of the name constraint checking algorithm, the processing time of some inputs scal
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
nvd
CVE-2020-16845P3HIGHCVSS 7.5fixed in 1.13.15≥ 1.14, < 1.14.72020-08-06
CVE-2020-16845 [HIGH] CWE-835 CVE-2020-16845: Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarin
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
nvd
CVE-2021-41771P3HIGHCVSS 7.5fixed in 1.16.10≥ 1.17.0, < 1.17.32021-11-08
CVE-2021-41771 [HIGH] CWE-119 CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 A
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
nvd
CVE-2019-9634P3HIGHCVSS 7.8fixed in 1.11.10≥ 1.12, < 1.12.22019-03-08
CVE-2019-9634 [HIGH] CWE-427 CVE-2019-9634: Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
nvd
CVE-2021-44716P3HIGHCVSS 7.5fixed in 1.16.12≥ 1.17.0, < 1.17.52022-01-01
CVE-2021-44716 [HIGH] CWE-400 CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
nvd
CVE-2020-28362P3HIGHCVSS 7.5fixed in 1.14.12≥ 1.15, < 1.15.52020-11-18
CVE-2020-28362 [HIGH] CWE-295 CVE-2020-28362: Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
nvd
CVE-2021-33198P3HIGHCVSS 7.5fixed in 1.15.13≥ 1.16.0, < 1.16.52021-08-02
CVE-2021-33198 [HIGH] CVE-2021-33198: In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
nvd
CVE-2017-1000098P3HIGHCVSS 7.5fixed in 1.6.4≥ 1.7, < 1.7.42017-10-05
CVE-2017-1000098 [HIGH] CWE-769 CVE-2017-1000098: The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
nvd
CVE-2022-30634P3HIGHCVSS 7.5fixed in 1.17.11≥ 1.18.0, < 1.18.32022-07-15
CVE-2022-30634 [HIGH] CWE-835 CVE-2022-30634: Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to c
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
nvd
CVE-2022-30633P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-30633 [HIGH] CWE-674 CVE-2022-30633: Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attack
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
nvd
CVE-2023-45287P3HIGHCVSS 7.5fixed in 1.20.02023-12-05
CVE-2023-45287 [HIGH] CWE-203 CVE-2023-45287: Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant tim
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session ke
nvd
CVE-2026-33814P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-33814 [HIGH] CWE-835 CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATIO
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
nvd
CVE-2026-42499P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-42499 [HIGH] CWE-1046 CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing an email address according to
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
nvd
CVE-2023-24539P3HIGHCVSS 7.3fixed in 1.19.9≥ 1.20.0, < 1.20.42023-05-11
CVE-2023-24539 [HIGH] CWE-74 CVE-2023-24539: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templat
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
nvd
CVE-2023-29400P3HIGHCVSS 7.3fixed in 1.19.9≥ 1.20.0, < 1.20.42023-05-11
CVE-2023-29400 [HIGH] CWE-74 CVE-2023-29400: Templates containing actions in unquoted HTML attributes (e.g. "attr=") executed with empty inp
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
nvd
CVE-2025-58188P3HIGHCVSS 7.5fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-58188 [HIGH] CWE-295 CVE-2025-58188: Validating certificate chains which contain DSA public keys can cause programs to panic, due to a in
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
nvd
CVE-2021-33196P3HIGHCVSS 7.5fixed in 1.15.13≥ 1.16.0, < 1.16.52021-08-02
CVE-2021-33196 [HIGH] CWE-20 CVE-2021-33196: In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
nvd
CVE-2021-41772P3HIGHCVSS 7.5fixed in 1.16.10≥ 1.17.0, < 1.17.32021-11-08
CVE-2021-41772 [HIGH] CWE-20 CVE-2021-41772: Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
nvd