| Bug | trixie | forky | sid | Description |
|---|
| CVE-2025-61725 | vulnerable (no DSA) | fixed | fixed | net/mail: excessive CPU consumption in ParseAddress |
| CVE-2025-61724 | vulnerable (no DSA) | fixed | fixed | net/textproto: excessive CPU consumption in Reader.ReadResponse |
| CVE-2025-61723 | vulnerable (no DSA) | fixed | fixed | encoding/pem: quadratic complexity when parsing some invalid inputs |
| CVE-2025-58189 | vulnerable (no DSA) | fixed | fixed | crypto/tls: ALPN negotiation errors can contain arbitrary text |
| CVE-2025-58188 | vulnerable (no DSA) | fixed | fixed | crypto/x509: panic when validating certificates with DSA public keys |
| CVE-2025-58187 | vulnerable (no DSA) | fixed | fixed | crypto/x509: quadratic complexity when checking name constraints |
| CVE-2025-58186 | vulnerable (no DSA) | fixed | fixed | net/http: lack of limit when parsing cookies can cause memory exhaustion |
| CVE-2025-58185 | vulnerable (no DSA) | fixed | fixed | encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion |
| CVE-2025-58183 | vulnerable (no DSA) | fixed | fixed | archive/tar: unbounded allocation when parsing GNU sparse map |
| CVE-2025-47912 | vulnerable (no DSA) | fixed | fixed | net/url: insufficient validation of bracketed IPv6 hostnames |
| CVE-2025-47907 | vulnerable (no DSA) | fixed | fixed | Cancelling a query (e.g. by cancelling the context passed to one of th ... |
| CVE-2025-47906 | vulnerable (no DSA) | fixed | fixed | If the PATH environment variable contains paths which are executables ... |
| CVE-2025-4674 | vulnerable (no DSA) | fixed | fixed | The go command may execute unexpected commands when operating in untru ... |
| CVE-2024-8244 | vulnerable (no DSA) | vulnerable | vulnerable | The filepath.Walk and filepath.WalkDir functions are documented as not ... |
| Bug | Description |
|---|
| CVE-2025-47910 | When using http.CrossOriginProtection, the AddInsecureBypassPattern me ... |
| CVE-2025-22874 | Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsag ... |
| CVE-2025-22873 | |
| CVE-2025-22871 | The net/http package improperly accepts a bare LF as a line terminator ... |
| CVE-2025-22870 | Matching of hosts against proxy patterns can improperly treat an IPv6 ... |
| CVE-2025-22867 | On Darwin, building a Go module which contains CGO can trigger arbitra ... |
| CVE-2025-22866 | Due to the usage of a variable time instruction in the assembly implem ... |
| CVE-2025-22865 | Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT ... |
| CVE-2025-4673 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross- ... |
| CVE-2025-0913 | os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and ... |
| CVE-2024-45341 | A certificate with a URI which has a IPv6 address with a zone ID may i ... |
| CVE-2024-45340 | Credentials provided via the new GOAUTH feature were not being properl ... |
| CVE-2024-45336 | The HTTP client drops sensitive headers after following a cross-domain ... |