cbcvebase.

Golang Go vulnerabilities

168 known vulnerabilities affecting golang/go.

Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3

Vulnerabilities

Page 9 of 9
CVE-2024-24789P4MEDIUMCVSS 5.5fixed in 1.21.11≥ 1.22.0, < 1.22.42024-06-05
CVE-2024-24789 [MEDIUM] CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior o The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
nvd
CVE-2022-1962P4MEDIUMCVSS 5.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-1962 [MEDIUM] CWE-674 CVE-2022-1962: Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
nvd
CVE-2021-27919P4MEDIUMCVSS 5.5≥ 1.16.0, < 1.16.12021-03-11
CVE-2021-27919 [MEDIUM] CVE-2021-27919: archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon at archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
nvd
CVE-2026-32288P4MEDIUMCVSS 5.5fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32288 [MEDIUM] CWE-770 CVE-2026-32288: tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive con tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
nvd
CVE-2014-7189P4MEDIUMCVSS 4.3v1.1v1.1.1+6 more2014-10-07
CVE-2014-7189 [MEDIUM] CWE-264 CVE-2014-7189: crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.
nvd
CVE-2025-22873P4LOWCVSS 3.8fixed in 1.23.9≥ 1.24.0, < 1.24.32026-02-04
CVE-2025-22873 [LOW] CWE-23 CVE-2025-22873: It was possible to improperly access the parent directory of an os.Root by opening a filename ending It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
nvd
CVE-2026-27139P4LOWCVSS 2.5fixed in 1.25.8v1.26.02026-03-06
CVE-2026-27139 [LOW] CWE-22 CVE-2026-27139: On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the r On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files out
nvd
CVE-2022-30629P4LOWCVSS 3.1fixed in 1.17.11≥ 1.18.0, < 1.18.32022-08-10
CVE-2022-30629 [LOW] CWE-330 CVE-2022-30629: Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18. Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
nvd
Golang Go vulnerabilities | cvebase