Golang Go vulnerabilities
168 known vulnerabilities affecting golang/go.
Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3
Vulnerabilities
Page 5 of 9
CVE-2020-7919P3HIGHCVSS 7.5≥ 1.12, < 1.12.6≥ 1.13, < 1.13.72020-03-16
CVE-2020-7919 [HIGH] CWE-295 CVE-2020-7919: Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-202001242
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
nvd
CVE-2022-30631P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-30631 [HIGH] CWE-674 CVE-2022-30631: Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an att
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
nvd
CVE-2023-24536P3HIGHCVSS 7.5fixed in 1.19.8≥ 1.20.0, < 1.20.32023-04-06
CVE-2023-24536 [HIGH] CWE-770 CVE-2023-24536: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs conta
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs t
nvd
CVE-2022-30635P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-30635 [HIGH] CWE-674 CVE-2022-30635: Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an a
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
nvd
CVE-2022-30580P3HIGHCVSS 7.8fixed in 1.17.11≥ 1.18.0, < 1.18.32022-08-10
CVE-2022-30580 [HIGH] CWE-94 CVE-2022-30580: Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binar
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
nvd
CVE-2022-41725P3HIGHCVSS 7.5fixed in 1.19.6v1.20.02023-02-28
CVE-2022-41725 [HIGH] CWE-770 CVE-2022-41725: A denial of service is possible from excessive resource consumption in net/http and mime/multipart.
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFo
nvd
CVE-2022-2880P3HIGHCVSS 7.5fixed in 1.18.7≥ 1.19.0, < 1.19.22022-10-14
CVE-2022-2880 [HIGH] CWE-444 CVE-2022-2880: Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, includ
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound requ
nvd
CVE-2026-27137P3HIGHCVSS 7.5v1.26.02026-03-06
CVE-2026-27137 [HIGH] CWE-295 CVE-2026-27137: When verifying a certificate chain which contains a certificate containing multiple email address co
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
nvd
CVE-2026-39836P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39836 [HIGH] CWE-476 CVE-2026-39836: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
nvd
CVE-2025-68119P3HIGHCVSS 7.0fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-68119 [HIGH] CWE-787 CVE-2025-68119: Downloading and building modules with malicious version strings can cause local code execution. On s
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious ve
nvd
CVE-2022-23772P3HIGHCVSS 7.5fixed in 1.16.14≥ 1.17.0, < 1.17.72022-02-11
CVE-2022-23772 [HIGH] CWE-190 CVE-2022-23772: Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lea
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
nvd
CVE-2015-8618P3HIGHCVSS 7.5v1.5v1.5.1+1 more2016-01-27
CVE-2015-8618 [HIGH] CWE-200 CVE-2015-8618: The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propag
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.
nvd
CVE-2021-27918P3HIGHCVSS 7.5fixed in 1.15.9≥ 1.16.0, < 1.16.12021-03-11
CVE-2021-27918 [HIGH] CWE-835 CVE-2021-27918: encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenRead
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
nvd
CVE-2022-32190P3HIGHCVSS 7.5v1.19.02022-09-13
CVE-2022-32190 [HIGH] CWE-22 CVE-2022-32190: JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
nvd
CVE-2022-30632P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-30632 [HIGH] CWE-674 CVE-2022-30632: Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker t
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
nvd
CVE-2022-30630P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-30630 [HIGH] CWE-674 CVE-2022-30630: Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
nvd
CVE-2021-33194P3HIGHCVSS 7.5≤ 1.15.12≥ 1.16.0, ≤ 1.16.42021-05-26
CVE-2021-33194 [HIGH] CWE-835 CVE-2021-33194: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of ser
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
nvd
CVE-2022-27536P3HIGHCVSS 7.5≥ 1.18.0, < 1.18.12022-04-20
CVE-2022-27536 [HIGH] CWE-295 CVE-2022-27536: Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when pr
Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.
nvd
CVE-2025-61729P3HIGHCVSS 7.5fixed in 1.24.11≥ 1.25.0, < 1.25.52025-12-02
CVE-2025-61729 [HIGH] CWE-295 CVE-2025-61729: Within HostnameError.Error(), when constructing an error string, there is no limit to the number of
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
nvd
CVE-2026-32281P3HIGHCVSS 7.5fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32281 [HIGH] CWE-295 CVE-2026-32281: Validating certificate chains which use policies is unexpectedly inefficient when certificates in th
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
nvd