Search
Search Results (11 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61730 | 1 Go Standard Library | 1 Crypto Tls | 2026-01-29 | 6.2 Medium |
| During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. | ||||
| CVE-2025-61728 | 1 Go Standard Library | 1 Archive/zip | 2026-01-29 | 6.5 Medium |
| archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||||
| CVE-2025-61726 | 1 Go Standard Library | 1 Net/url | 2026-01-29 | 7.5 High |
| The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | ||||
| CVE-2025-61729 | 2 Go Standard Library, Golang | 2 Crypto Tls, Go | 2025-12-19 | 7.5 High |
| Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | ||||
| CVE-2025-61727 | 2 Go Standard Library, Golang | 2 Crypto Tls, Go | 2025-12-18 | 6.5 Medium |
| An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | ||||
| CVE-2023-45288 | 3 Go Standard Library, Golang, Redhat | 33 Net\/http, Http2, Acm and 30 more | 2025-11-04 | 7.5 High |
| An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. | ||||
| CVE-2025-47910 | 2 Go Standard Library, Golang | 3 Net\/http, Http2, Net | 2025-09-24 | 5.4 Medium |
| When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. | ||||
| CVE-2024-24784 | 2 Go Standard Library, Redhat | 14 Net\/mail, Advanced Cluster Security, Ceph Storage and 11 more | 2025-02-13 | 7.5 High |
| The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | ||||
| CVE-2023-39322 | 3 Go Standard Library, Golang, Redhat | 18 Crypto Tls, Go, Acm and 15 more | 2025-02-13 | 7.5 High |
| QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. | ||||
| CVE-2024-34156 | 2 Go Standard Library, Redhat | 19 Encoding\/gob, Advanced Cluster Security, Ceph Storage and 16 more | 2024-11-21 | 7.5 High |
| Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | ||||
| CVE-2024-24791 | 2 Go Standard Library, Redhat | 20 Net\/http, Amq Streams, Ceph Storage and 17 more | 2024-11-21 | 7.5 High |
| The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. | ||||
Page 1 of 1.