Golang Go vulnerabilities
168 known vulnerabilities affecting golang/go.
Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3
Vulnerabilities
Page 6 of 9
CVE-2021-34558P3MEDIUMCVSS 6.5fixed in 1.15.14≥ 1.16.0, < 1.16.62021-07-15
CVE-2021-34558 [MEDIUM] CWE-295 CVE-2021-34558: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
nvd
CVE-2016-3959P3HIGHCVSS 7.5v1.6≤ 1.52016-05-23
CVE-2016-3959 [HIGH] CWE-20 CVE-2016-3959: The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
nvd
CVE-2022-2879P3HIGHCVSS 7.5fixed in 1.18.7≥ 1.19.0, < 1.19.22022-10-14
CVE-2022-2879 [HIGH] CWE-770 CVE-2022-2879: Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
nvd
CVE-2023-29403P3HIGHCVSS 7.8fixed in 1.19.10≥ 1.20.0, < 1.20.52023-06-08
CVE-2023-29403 [HIGH] CWE-668 CVE-2023-29403: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/s
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result
nvd
CVE-2022-41716P3HIGHCVSS 7.5fixed in 1.18.8≥ 1.19.0, < 1.19.32022-11-02
CVE-2022-41716 [HIGH] CVE-2022-41716: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Win
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For exam
nvd
CVE-2025-47907P3HIGHCVSS 7.0fixed in 1.23.12≥ 1.24.0, < 1.24.62025-08-07
CVE-2025-47907 [HIGH] CWE-362 CVE-2025-47907: Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to r
nvd
CVE-2020-28851P3HIGHCVSS 7.5v1.15.42021-01-02
CVE-2020-28851 [HIGH] CWE-129 CVE-2020-28851: In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while p
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
nvd
CVE-2022-32189P3HIGHCVSS 7.5fixed in 1.17.13≥ 1.18.0, < 1.18.52022-08-10
CVE-2022-32189 [HIGH] CVE-2022-32189: A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
nvd
CVE-2023-24537P3HIGHCVSS 7.5fixed in 1.19.8≥ 1.20.0, < 1.20.32023-04-06
CVE-2023-24537 [HIGH] CWE-190 CVE-2023-24537: Calling any of the Parse functions on Go source code which contains //line directives with very larg
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
nvd
CVE-2022-41715P3HIGHCVSS 7.5fixed in 1.18.7≥ 1.19.0, < 1.19.22022-10-14
CVE-2022-41715 [HIGH] CVE-2022-41715: Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaus
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being p
nvd
CVE-2023-39322P3HIGHCVSS 7.5≥ 1.21.0, < 1.21.12023-09-08
CVE-2023-39322 [HIGH] CWE-770 CVE-2023-39322: QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshak
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
nvd
CVE-2022-41724P3HIGHCVSS 7.5fixed in 1.19.6v1.20.02023-02-28
CVE-2022-41724 [HIGH] CWE-400 CVE-2022-41724: Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-
nvd
CVE-2022-27664P3HIGHCVSS 7.5fixed in 1.18.6v1.19.02022-09-06
CVE-2022-27664 [HIGH] CVE-2022-27664: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service be
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
nvd
CVE-2017-1000097P3HIGHCVSS 7.5fixed in 1.6.4≥ 1.7, < 1.7.42017-10-05
CVE-2017-1000097 [HIGH] CWE-295 CVE-2017-1000097: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root c
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
nvd
CVE-2023-39321P3HIGHCVSS 7.5≥ 1.21.0, < 1.21.12023-09-08
CVE-2023-39321 [HIGH] CWE-400 CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
nvd
CVE-2021-3114P4MEDIUMCVSS 6.5fixed in 1.14.14≥ 1.15, < 1.15.72021-01-26
CVE-2021-3114 [MEDIUM] CWE-682 CVE-2021-3114: In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect output
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
nvd
CVE-2020-29510P4MEDIUMCVSS 5.6≤ 1.15≥ unspecified, ≤ 1.152020-12-14
CVE-2020-29510 [MEDIUM] CWE-115 CVE-2020-29510: The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics o
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
nvd
CVE-2016-3958P4HIGHCVSS 7.8≥ 1.5, < 1.5.4≥ 1.6, < 1.6.1+1 more2016-05-23
CVE-2016-3958 [HIGH] CWE-264 CVE-2016-3958: Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows loca
Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.
nvd
CVE-2022-41717P4MEDIUMCVSS 5.3fixed in 1.18.9≥ 1.19.0, < 1.19.42022-12-08
CVE-2022-41717 [MEDIUM] CWE-770 CVE-2022-41717: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 serve
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
nvd
CVE-2023-29406P4MEDIUMCVSS 6.5fixed in 1.19.11≥ 1.20.0, < 1.20.62023-07-11
CVE-2023-29406 [MEDIUM] CWE-436 CVE-2023-29406: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Hos
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
nvd