CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47914 – Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
https://notcve.org/view.php?id=CVE-2025-47914
19 Nov 2025 — SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. These are all security issues fixed in the git-bug-0.10.1-3.1 package on the GA media of openSUSE Tumbleweed. • https://go.dev/cl/721960 • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58181 – Unbounded memory consumption in golang.org/x/crypto/ssh
https://notcve.org/view.php?id=CVE-2025-58181
19 Nov 2025 — SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. These are all security issues fixed in the cloudflared-2025.11.1-1.1 package on the GA media of openSUSE Tumbleweed. • https://go.dev/cl/721961 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47913 – Potential denial of service in golang.org/x/crypto/ssh/agent
https://notcve.org/view.php?id=CVE-2025-47913
13 Nov 2025 — SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. An update that fixes one vulnerability is now available. This update for act fixes the following issues. Prevent panic in embedded golang.org/x/crypto/ssh/agent client when receiving unexpected message types for key listing or signing requests by returning a descriptive error instead. • https://github.com/advisories/GHSA-hcg3-q754-cr77 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22872 – Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
https://notcve.org/view.php?id=CVE-2025-22872
16 Apr 2025 — The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g.
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30204 – jwt-go allows excessive memory allocation during header parsing
https://notcve.org/view.php?id=CVE-2025-30204
28 Feb 2025 — golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is ... • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 • CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 2CVE-2025-22870 – HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
https://notcve.org/view.php?id=CVE-2025-22870
28 Feb 2025 — Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. A flaw was found in proxy host matching. This vulnerability allows improper bypassing of proxy settings via manipulating an IPv6 zone ID, causing unintended matches against the NO_PROXY environment variable. Kyle Seely discovered that the Go net/ht... • https://github.com/JoshuaProvoste/CVE-2025-22870 • CWE-20: Improper Input Validation CWE-115: Misinterpretation of Input •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22868 – Unexpected memory consumption during token parsing in golang.org/x/oauth2
https://notcve.org/view.php?id=CVE-2025-22868
26 Feb 2025 — An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed ... • https://go.dev/cl/652155 • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22869 – Potential denial of service in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2025-22869
26 Feb 2025 — SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange. ... • https://go.dev/cl/652135 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45339 – Vulnerability when creating log files in github.com/golang/glog
https://notcve.org/view.php?id=CVE-2024-45339
28 Jan 2025 — When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. A flaw was found in glog, a logging library. This vulnerability allows ... • https://github.com/golang/glog/pull/74 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45338 – Non-linear parsing of case-insensitive content in golang.org/x/net/html
https://notcve.org/view.php?id=CVE-2024-45338
18 Dec 2024 — An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service. • https://go.dev/cl/637536 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-1333: Inefficient Regular Expression Complexity •