Skip to content

Instantly share code, notes, and snippets.

@alexbozhenko

alexbozhenko/gist:4ddce2e4cae93bb9e3e194cebff6ab44

Created December 5, 2025 16:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alexbozhenko/4ddce2e4cae93bb9e3e194cebff6ab44 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alexbozhenko/4ddce2e4cae93bb9e3e194cebff6ab44 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
# GOTOOLCHAIN=go1.24.1 govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-4175
Improper application of excluded DNS name constraints when verifying
wildcard names in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4175
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.Verify
Vulnerability #2: GO-2025-4155
Excessive resource consumption when printing error string for host
certificate validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4155
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.Verify
#2: test/test.go:92:21: test.RunLeafzStaticServer calls http.Server.ListenAndServe, which eventually calls x509.Certificate.VerifyHostname
Vulnerability #3: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
More info: https://pkg.go.dev/vuln/GO-2025-4014
Standard library
Found in: archive/[email protected]
Fixed in: archive/[email protected]
Example traces found:
#1: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls tar.Reader.Next
Vulnerability #4: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4013
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.Verify
Vulnerability #5: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
More info: https://pkg.go.dev/vuln/GO-2025-4012
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls http.Client.Do
#2: collector/collector.go:111:29: collector.getMetricURL calls http.Client.Get
#3: test/test.go:92:21: test.RunLeafzStaticServer calls http.Server.ListenAndServe, which eventually calls http.Request.Cookies
Vulnerability #6: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
More info: https://pkg.go.dev/vuln/GO-2025-4011
Standard library
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls asn1.Unmarshal
Vulnerability #7: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
More info: https://pkg.go.dev/vuln/GO-2025-4010
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: collector/log.go:94:40: collector.ConfigureLogger calls logger.NewRemoteSysLogger, which eventually calls url.Parse
#2: main.go:45:35: prometheus.parseServerIDAndURL calls url.ParseRequestURI
#3: collector/collector.go:111:29: collector.getMetricURL calls http.Client.Get, which eventually calls url.URL.Parse
Vulnerability #8: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
More info: https://pkg.go.dev/vuln/GO-2025-4009
Standard library
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
Example traces found:
#1: exporter/exporter.go:316:32: exporter.NATSExporter.generateTLSConfig calls x509.CertPool.AppendCertsFromPEM, which calls pem.Decode
Vulnerability #9: GO-2025-4008
ALPN negotiation error contains attacker controlled information in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2025-4008
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: test/test.go:202:25: test.CreateClientConnSubscribeAndPublish calls nats.Connect, which eventually calls tls.Conn.Handshake
#2: test/test.go:92:21: test.RunLeafzStaticServer calls http.Server.ListenAndServe, which eventually calls tls.Conn.HandshakeContext
#3: collector/collector.go:116:25: collector.getMetricURL calls io.ReadAll, which eventually calls tls.Conn.Read
#4: main.go:155:13: prometheus.main calls fmt.Printf, which eventually calls tls.Conn.Write
#5: collector/collector.go:111:29: collector.getMetricURL calls http.Client.Get, which eventually calls tls.Dialer.DialContext
Vulnerability #10: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4007
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: exporter/exporter.go:316:32: exporter.NATSExporter.generateTLSConfig calls x509.CertPool.AppendCertsFromPEM
#2: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.CheckSignature
#3: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.Verify
#4: exporter/exporter.go:298:40: exporter.NATSExporter.generateTLSConfig calls x509.ParseCertificate
#5: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.ParseCertificates
#6: exporter/exporter.go:293:34: exporter.NATSExporter.generateTLSConfig calls tls.LoadX509KeyPair, which eventually calls x509.ParseECPrivateKey
#7: exporter/exporter.go:293:34: exporter.NATSExporter.generateTLSConfig calls tls.LoadX509KeyPair, which eventually calls x509.ParsePKCS1PrivateKey
#8: exporter/exporter.go:293:34: exporter.NATSExporter.generateTLSConfig calls tls.LoadX509KeyPair, which eventually calls x509.ParsePKCS8PrivateKey
Vulnerability #11: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3751
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls http.Client.Do
#2: collector/collector.go:111:29: collector.getMetricURL calls http.Client.Get
Vulnerability #12: GO-2025-3750
Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in
syscall
More info: https://pkg.go.dev/vuln/GO-2025-3750
Standard library
Found in: [email protected]
Fixed in: [email protected]
Platforms: windows
Example traces found:
#1: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.CreateTemp
#2: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.File.ReadDir
#3: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.File.Readdirnames
#4: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.Getwd
#5: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.Lstat
#6: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.Mkdir
#7: test/test.go:176:25: test.RunJetStreamServerWithPorts calls os.MkdirAll
#8: test/test.go:184:27: test.RunJetStreamServerWithPorts calls os.MkdirTemp
#9: test/test.go:23:2: test.init calls os.init, which calls os.NewFile
#10: collector/log.go:94:40: collector.ConfigureLogger calls logger.NewRemoteSysLogger, which eventually calls os.Open
#11: collector/log.go:92:35: collector.ConfigureLogger calls logger.NewFileLogger, which eventually calls os.OpenFile
#12: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.ReadDir
#13: exporter/exporter.go:311:30: exporter.NATSExporter.generateTLSConfig calls os.ReadFile
#14: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.Remove
#15: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.RemoveAll
#16: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.Rename
#17: test/test.go:174:22: test.RunJetStreamServerWithPorts calls os.Stat
#18: test/test.go:128:2: test.RunServerWithPortsAndName calls server.Server.Start, which eventually calls os.WriteFile
#19: test/test.go:184:27: test.RunJetStreamServerWithPorts calls os.MkdirTemp, which eventually calls syscall.Open
Vulnerability #13: GO-2025-3749
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-3749
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: test/test.go:117:28: test.RunServerWithPortsAndName calls server.NewServer, which eventually calls x509.Certificate.Verify
Vulnerability #14: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3563
Standard library
Found in: net/http/[email protected]
Fixed in: net/http/[email protected]
Example traces found:
#1: collector/collector.go:116:25: collector.getMetricURL calls io.ReadAll, which eventually calls internal.chunkedReader.Read
Your code is affected by 14 vulnerabilities from the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment