Golang Go vulnerabilities
168 known vulnerabilities affecting golang/go.
Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3
Vulnerabilities
Page 8 of 9
CVE-2025-47912P4MEDIUMCVSS 5.3fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-47912 [MEDIUM] CVE-2025-47912: The Parse function permits values other than IPv6 addresses to be included in square brackets within
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce t
nvd
CVE-2026-39819P4MEDIUMCVSS 5.3fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39819 [MEDIUM] CWE-59 CVE-2026-39819: The "go bug" command writes to two files with predictable names in the system temporary directory (f
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
nvd
CVE-2021-31525P4MEDIUMCVSS 5.9fixed in 1.15.12≥ 1.16.0, < 1.16.42021-05-27
CVE-2021-31525 [MEDIUM] CWE-674 CVE-2021-31525: net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
nvd
CVE-2017-15042P4MEDIUMCVSS 5.9≤ 1.8.3v1.92017-10-05
CVE-2017-15042 [MEDIUM] CWE-319 CVE-2017-15042: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires th
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this wa
nvd
CVE-2026-32289P4MEDIUMCVSS 6.1fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32289 [MEDIUM] CWE-79 CVE-2026-32289: Context was not properly tracked across template branches for JS template literals, leading to possi
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS templat
nvd
CVE-2026-27138P4MEDIUMCVSS 5.9v1.26.02026-03-06
CVE-2026-27138 [MEDIUM] CWE-295 CVE-2026-27138: Certificate verification can panic when a certificate in the chain has an empty DNS name and another
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
nvd
CVE-2023-39326P4MEDIUMCVSS 5.3fixed in 1.20.12≥ 1.21.0-0, < 1.21.52023-12-06
CVE-2023-39326 [MEDIUM] CVE-2023-39326: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or respo
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a reques
nvd
CVE-2025-61730P4MEDIUMCVSS 5.3fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-61730 [MEDIUM] CVE-2025-61730: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level bou
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during th
nvd
CVE-2026-27142P4MEDIUMCVSS 6.1fixed in 1.25.8v1.26.02026-03-06
CVE-2026-27142 [MEDIUM] CWE-79 CVE-2026-27142: Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can all
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by
nvd
CVE-2020-14039P4MEDIUMCVSS 5.3fixed in 1.13.13≥ 1.14.0, < 1.14.52020-07-17
CVE-2020-14039 [MEDIUM] CWE-295 CVE-2020-14039: In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOpti
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
nvd
CVE-2023-29409P4MEDIUMCVSS 5.3fixed in 1.19.12≥ 1.20.0, < 1.20.7+1 more2023-08-02
CVE-2023-29409 [MEDIUM] CWE-400 CVE-2023-29409: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU t
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this
nvd
CVE-2021-44717P4MEDIUMCVSS 4.8fixed in 1.16.12≥ 1.17.0, < 1.17.52022-01-01
CVE-2021-44717 [MEDIUM] CWE-404 CVE-2021-44717: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
nvd
CVE-2025-61724P4MEDIUMCVSS 5.3fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-61724 [MEDIUM] CWE-770 CVE-2025-61724: The Reader.ReadResponse function constructs a response string through repeated string concatenation
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
nvd
CVE-2026-39823P4MEDIUMCVSS 6.1fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39823 [MEDIUM] CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
nvd
CVE-2025-58189P4MEDIUMCVSS 5.3fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-58189 [MEDIUM] CWE-532 CVE-2025-58189: When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
nvd
CVE-2023-24532P4MEDIUMCVSS 5.3fixed in 1.19.7≥ 1.20.0, < 1.20.22023-03-08
CVE-2023-24532 [MEDIUM] CWE-682 CVE-2023-24532: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
nvd
CVE-2023-39318P4MEDIUMCVSS 6.1fixed in 1.20.8≥ 1.21.0, < 1.21.12023-09-08
CVE-2023-39318 [MEDIUM] CWE-79 CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" co
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
nvd
CVE-2023-39319P4MEDIUMCVSS 6.1fixed in 1.20.8≥ 1.21.0, < 1.21.12023-09-08
CVE-2023-39319 [MEDIUM] CWE-79 CVE-2023-39319: The html/template package does not apply the proper rules for handling occurrences of "<script", "<!
The html/template package does not apply the proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
nvd
CVE-2023-45284P4MEDIUMCVSS 5.3fixed in 1.20.11≥ 1.21.0-0, < 1.21.42023-11-09
CVE-2023-45284 [MEDIUM] CVE-2023-45284: On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Rese
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
nvd
CVE-2025-0913P4MEDIUMCVSS 5.5fixed in 1.23.10≥ 1.24.0, < 1.24.42025-06-11
CVE-2025-0913 [MEDIUM] CWE-59 CVE-2025-0913: os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the targe
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always r
nvd