CVE-2025-22871: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size...
Critical
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.23.8
CVSS Score:
9.10
CVE-2024-24790: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6...
Critical
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.11
CVSS Score:
9.80
CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and bi...
Critical
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.1
CVSS Score:
9.80
CVE-2023-39325: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause ex...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.10
CVSS Score:
7.50
CVE-2025-47907: Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a c...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.23.12
CVSS Score:
7.00
CVE-2023-39322: QUIC connections do not set an upper bound on the amount of data buffered when reading post-hands...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.1
CVSS Score:
7.50
CVE-2024-34158: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic du...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.7
CVSS Score:
7.50
CVE-2024-24784: The ParseAddressList function incorrectly handles comments (text within parentheses) within displ...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.8
CVSS Score:
7.50
CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allo...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.9
CVSS Score:
8.10
GHSA-4374-p667-p6c8: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause ex...
High
Package:
golang.org/x/net
Installed Version:
v0.14.0
Fixed Version:
0.17.0
CVSS Score:
7.50
CVE-2024-24791: The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Ex...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.12
CVSS Score:
7.50
CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an e...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.9
CVSS Score:
7.50
CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.12
CVSS Score:
7.50
CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request canc...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.10
CVSS Score:
7.50
CVE-2024-34156: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.7
CVSS Score:
7.50
CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This...
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.23.11
CVSS Score:
8.60
CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
High
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.1
CVSS Score:
7.50
GHSA-qppj-fm5r-hxr3: The HTTP/2 protocol allows a denial of service (server resource consumption) because request canc...
Medium
Package:
golang.org/x/net
Installed Version:
v0.14.0
Fixed Version:
0.17.0
CVSS Score:
5.30
CVE-2024-24785: If errors returned from MarshalJSON methods contain user controlled data, they may be used to bre...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.8
CVSS Score:
5.40
CVE-2024-24787: On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when usin...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.10
CVSS Score:
6.40
CVE-2023-45290: When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly wi...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.8
CVSS Score:
6.50
CVE-2024-45341: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI na...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.11
CVSS Score:
6.10
CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavio...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.11
CVSS Score:
5.50
GHSA-vvgc-356p-c3xw: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus...
Medium
Package:
golang.org/x/net
Installed Version:
v0.14.0
Fixed Version:
0.38.0
CVSS Score:
Unknown
CVE-2024-24783: Verifying a certificate chain which contains a certificate with an unknown public key algorithm w...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.8
CVSS Score:
5.90
CVE-2023-45289: When following an HTTP redirect to a domain which is not a subdomain match or exact match of the...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.21.8
CVSS Score:
4.30
CVE-2023-39319: The html/template package does not apply the proper rules for handling occurrences of "<script",...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.8
CVSS Score:
6.10
CVE-2024-45336: The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a r...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.11
CVSS Score:
6.10
CVE-2025-47906: If the PATH environment variable contains paths which are executables (rather than just directori...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.23.12
CVSS Score:
6.50
CVE-2025-22866: Due to the usage of a variable time instruction in the assembly implementation of an internal fun...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.12
CVSS Score:
4.00
CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!"...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.8
CVSS Score:
6.10
CVE-2024-34155: Calling any of the Parse functions on Go source code which contains deeply nested literals can ca...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.22.7
CVSS Score:
4.30
CVE-2025-4673: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentiall...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.23.10
CVSS Score:
6.80
GHSA-qxp5-gwg8-xv66: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname compo...
Medium
Package:
golang.org/x/net
Installed Version:
v0.14.0
Fixed Version:
0.36.0
CVSS Score:
4.40
GHSA-4v7x-pqxf-cx7m: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an e...
Medium
Package:
golang.org/x/net
Installed Version:
v0.14.0
Fixed Version:
0.23.0
CVSS Score:
5.30
CVE-2023-39326: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or re...
Medium
Package:
stdlib
Installed Version:
go1.21.0
Fixed Version:
1.20.12
CVSS Score:
5.30
CVE-2025-46394: In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through...
Low
Package:
busybox
Installed Version:
1.37.0
Fixed Version:
CVSS Score:
3.30
CVE-2024-58251: In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[...
Low
Package:
busybox
Installed Version:
1.37.0
Fixed Version:
CVSS Score:
2.50