Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Published
2026-02-27 01:01
Modified
2026-02-26 12:09
Summary
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate
Details
Multiple security vulnerabilities affect the argo-cd-fips package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "argo-cd-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.3-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the argo-cd-fips package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-QC30410",
"modified": "2026-02-26T12:09:56Z",
"published": "2026-02-27T01:01:12.325618Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-QC30410.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-55190"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-55191"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58183"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58185"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58187"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58188"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58189"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59537"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59538"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61724"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61725"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-37cx-329c-33x3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-4x4m-3c2p-qppc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-cfpf-hrx2-8rv6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-hj2p-8wj8-pfq4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate",
"upstream": [
"CVE-2025-55190",
"CVE-2025-55191",
"CVE-2025-58183",
"CVE-2025-58185",
"CVE-2025-58187",
"CVE-2025-58188",
"CVE-2025-58189",
"CVE-2025-59537",
"CVE-2025-59538",
"CVE-2025-61723",
"CVE-2025-61724",
"CVE-2025-61725",
"GHSA-2v5j-vhc3-9cwm",
"GHSA-2vgg-9h3w-qbr4",
"GHSA-2xsj-vh29-9cwm",
"GHSA-37cx-329c-33x3",
"GHSA-3wgm-2mw2-vh5m",
"GHSA-4x4m-3c2p-qppc",
"GHSA-6v2p-p543-phr9",
"GHSA-92cp-5422-2m47",
"GHSA-93mq-9ffx-83m2",
"GHSA-cfpf-hrx2-8rv6",
"GHSA-f6x5-jh6r-wrfv",
"GHSA-hj2p-8wj8-pfq4",
"GHSA-j5w8-q4qc-rx2x",
"GHSA-mh63-6h87-95cp",
"GHSA-mw99-9chc-xw7r"
]
}
GHSA-MW99-9CHC-XW7R
Vulnerability from github – Published: 2023-12-27 15:06 – Updated: 2025-01-06 15:20
VLAI?
Summary
Maliciously crafted Git server replies can cause DoS on go-git clients
Details
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
Patches
Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.
Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
References
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.11.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "gopkg.in/src-d/go-git.v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.7.1"
},
{
"last_affected": "4.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49568"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-27T15:06:52Z",
"nvd_published_at": "2024-01-12T11:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\nA denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. \n\nApplications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability.\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.\n\n### References\n- [GHSA-mw99-9chc-xw7r](https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r)\n",
"id": "GHSA-mw99-9chc-xw7r",
"modified": "2025-01-06T15:20:39Z",
"published": "2023-12-27T15:06:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49568"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-git/go-git"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Maliciously crafted Git server replies can cause DoS on go-git clients"
}
GHSA-HJ2P-8WJ8-PFQ4
Vulnerability from github – Published: 2025-06-23 18:30 – Updated: 2025-08-06 21:47
VLAI?
Summary
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
Details
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.32.5"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0"
},
{
"fixed": "1.32.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.33.1"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.33.0"
},
{
"fixed": "1.33.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4563"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-23T22:41:38Z",
"nvd_published_at": "2025-06-23T16:15:27Z",
"severity": "LOW"
},
"details": "A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.",
"id": "GHSA-hj2p-8wj8-pfq4",
"modified": "2025-08-06T21:47:22Z",
"published": "2025-06-23T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4563"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/132151"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/131844"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/131875"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/131876"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "kubernetes allows nodes to bypass dynamic resource allocation authorization checks"
}
GHSA-MH63-6H87-95CP
Vulnerability from github – Published: 2025-03-21 22:04 – Updated: 2025-04-10 13:02
VLAI?
Summary
jwt-go allows excessive memory allocation during header parsing
Details
Summary
Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
Details
Impact
Excessive memory allocation
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/golang-jwt/jwt/v5"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-rc.1"
},
{
"fixed": "5.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/golang-jwt/jwt/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/golang-jwt/jwt"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"last_affected": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30204"
],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T22:04:00Z",
"nvd_published_at": "2025-03-21T22:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\n\nFunction [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.\n\nAs a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)\n\n### Details\n\nSee [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) \n\n### Impact\n\nExcessive memory allocation",
"id": "GHSA-mh63-6h87-95cp",
"modified": "2025-04-10T13:02:34Z",
"published": "2025-03-21T22:04:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204"
},
{
"type": "WEB",
"url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"
},
{
"type": "WEB",
"url": "https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang-jwt/jwt"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250404-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "jwt-go allows excessive memory allocation during header parsing"
}
GHSA-CFPF-HRX2-8RV6
Vulnerability from github – Published: 2025-12-16 22:34 – Updated: 2025-12-16 22:34
VLAI?
Summary
Expr has Denial of Service via Unbounded Recursion in Builtin Functions
Details
Several builtin functions in Expr, including flatten, min, max, mean, and median, perform
recursive traversal over user-provided data structures without enforcing a maximum recursion depth.
If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash.
While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly.
Impact
In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion.
This issue is most relevant in scenarios where:
- Expr is used to evaluate expressions against externally supplied or dynamically constructed environments.
- Cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs.
- There are no application-level safeguards preventing deeply nested input data.
In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service.
Patches
The issue has been fixed in the v1.17.7 versions of Expr.
The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking.
Additionally, the maximum depth can be customized by users via builtin.MaxDepth, allowing applications with legitimate
deep structures to raise the limit in a controlled manner.
Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions.
Workarounds
For users who cannot immediately upgrade, the following mitigations are recommended:
- Ensure that evaluation environments cannot contain cyclic references.
- Validate or sanitize externally supplied data structures before passing them to Expr.
- Wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure).
These workarounds reduce risk but do not fully eliminate the issue without the patch.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/expr-lang/expr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68156"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T22:34:16Z",
"nvd_published_at": "2025-12-16T19:16:00Z",
"severity": "HIGH"
},
"details": "Several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform\nrecursive traversal over user-provided data structures without enforcing a maximum recursion depth.\n\nIf the evaluation environment contains **deeply nested** or **cyclic** data structures, these functions may recurse\nindefinitely until exceed the Go runtime stack limit. This results in a **stack overflow panic**, causing the host\napplication to crash.\n\nWhile exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the\nevaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness.\nInstead of returning a recoverable evaluation error, the process may terminate unexpectedly.\n\n### Impact\n\nIn affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently\nvalidated data structures can lead to a **process-level crash** due to stack exhaustion.\n\nThis issue is most relevant in scenarios where:\n\n* Expr is used to evaluate expressions against externally supplied or dynamically constructed environments.\n* Cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs.\n* There are no application-level safeguards preventing deeply nested input data.\n\nIn typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting\npanic can be used to reliably crash the application, constituting a denial of service.\n\n### Patches\n\nThe issue has been fixed in the v1.17.7 versions of Expr.\n\nThe patch introduces a **maximum recursion depth limit** for affected builtin functions. When this limit is exceeded,\nevaluation aborts gracefully and returns a descriptive error instead of panicking.\n\nAdditionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate\ndeep structures to raise the limit in a controlled manner.\n\nUsers are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and\ncomprehensive test coverage to prevent regressions.\n\n### Workarounds\n\nFor users who cannot immediately upgrade, the following mitigations are recommended:\n\n* Ensure that evaluation environments cannot contain cyclic references.\n* Validate or sanitize externally supplied data structures before passing them to Expr.\n* Wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure).\n\nThese workarounds reduce risk but do not fully eliminate the issue without the patch.",
"id": "GHSA-cfpf-hrx2-8rv6",
"modified": "2025-12-16T22:34:16Z",
"published": "2025-12-16T22:34:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68156"
},
{
"type": "WEB",
"url": "https://github.com/expr-lang/expr/pull/870"
},
{
"type": "PACKAGE",
"url": "https://github.com/expr-lang/expr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Expr has Denial of Service via Unbounded Recursion in Builtin Functions"
}
GHSA-J5W8-Q4QC-RX2X
Vulnerability from github – Published: 2025-11-19 23:01 – Updated: 2025-11-19 23:01
VLAI?
Summary
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
Details
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.45.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58181"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-19T23:01:20Z",
"nvd_published_at": "2025-11-19T21:15:50Z",
"severity": "MODERATE"
},
"details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"id": "GHSA-j5w8-q4qc-rx2x",
"modified": "2025-11-19T23:01:20Z",
"published": "2025-11-19T23:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58181"
},
{
"type": "WEB",
"url": "https://go.dev/cl/721961"
},
{
"type": "WEB",
"url": "https://go.dev/issue/76363"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption"
}
GHSA-93MQ-9FFX-83M2
Vulnerability from github – Published: 2025-03-17 21:26 – Updated: 2025-03-17 21:26
VLAI?
Summary
Memory Exhaustion in Expr Parser with Unrestricted Input
Details
Impact
If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur.
Patches
The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition.
Workarounds
For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
References
-
762
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/expr-lang/expr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29786"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-17T21:26:22Z",
"nvd_published_at": "2025-03-17T14:15:22Z",
"severity": "HIGH"
},
"details": "### Impact\nIf the Expr expression parser is given an **unbounded input string**, it will attempt to compile the *entire* string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn\u2019t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to **excessive memory usage** and an **Out-Of-Memory (OOM) crash** of the process. This issue is relatively uncommon and will only manifest when there are **no restrictions on the input size**, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur.\n\n### Patches\n\nThe problem has been **patched** in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to **Expr version 1.17.0 or later**, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition.\n\n### Workarounds\n\nFor users who cannot immediately upgrade, the recommended workaround is to **impose an input size restriction before parsing**. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, **pre-validate and cap input size** as a safeguard in the absence of the patch.\n\n### References\n\n- #762",
"id": "GHSA-93mq-9ffx-83m2",
"modified": "2025-03-17T21:26:22Z",
"published": "2025-03-17T21:26:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29786"
},
{
"type": "WEB",
"url": "https://github.com/expr-lang/expr/pull/762"
},
{
"type": "WEB",
"url": "https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e"
},
{
"type": "PACKAGE",
"url": "https://github.com/expr-lang/expr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Memory Exhaustion in Expr Parser with Unrestricted Input"
}
GHSA-4X4M-3C2P-QPPC
Vulnerability from github – Published: 2025-08-27 18:31 – Updated: 2025-08-27 19:20
VLAI?
Summary
Kubernetes Nodes can delete themselves by adding an OwnerReference
Details
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
Severity ?
6.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.31.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.32.7"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0-alpha.0"
},
{
"fixed": "1.32.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.33.0-alpha.0"
},
{
"fixed": "1.33.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5187"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-27T19:20:29Z",
"nvd_published_at": "2025-08-27T17:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.",
"id": "GHSA-4x4m-3c2p-qppc",
"modified": "2025-08-27T19:20:29Z",
"published": "2025-08-27T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5187"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/133471"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/a2d98cac56a0c5cb2d8abc4d087fc00846b3bc0f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Kubernetes Nodes can delete themselves by adding an OwnerReference"
}
GHSA-F6X5-JH6R-WRFV
Vulnerability from github – Published: 2025-11-19 23:16 – Updated: 2025-11-20 16:35
VLAI?
Summary
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
Details
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.45.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47914"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-19T23:16:40Z",
"nvd_published_at": "2025-11-19T21:15:50Z",
"severity": "MODERATE"
},
"details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"id": "GHSA-f6x5-jh6r-wrfv",
"modified": "2025-11-20T16:35:18Z",
"published": "2025-11-19T23:16:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47914"
},
{
"type": "WEB",
"url": "https://go.dev/cl/721960"
},
{
"type": "WEB",
"url": "https://go.dev/issue/76364"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/crypto"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4135"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read"
}
GHSA-6V2P-P543-PHR9
Vulnerability from github – Published: 2025-07-18 17:27 – Updated: 2025-07-18 17:27
VLAI?
Summary
golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
Details
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/oauth2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.27.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22868"
],
"database_specific": {
"cwe_ids": [
"CWE-1286"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-18T17:27:22Z",
"nvd_published_at": "2025-02-26T08:14:24Z",
"severity": "HIGH"
},
"details": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"id": "GHSA-6v2p-p543-phr9",
"modified": "2025-07-18T17:27:22Z",
"published": "2025-07-18T17:27:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://go.dev/cl/652155"
},
{
"type": "WEB",
"url": "https://go.dev/issue/71490"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability"
}
GHSA-37CX-329C-33X3
Vulnerability from github – Published: 2026-02-10 00:28 – Updated: 2026-02-10 02:57
VLAI?
Summary
go-git improperly verifies data integrity values for .idx and .pack files
Details
Impact
A vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found.
For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly.
Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of https:// or known hosts for ssh://). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.
Patches
Users should upgrade to v5.16.5, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Workarounds
In case updating to a fixed version of go-git is not possible, users can run git fsck from the git cli to check for data corruption on a given repository.
Credit
Thanks @N0zoM1z0 for finding and reporting this issue privately to the go-git project.
Severity ?
4.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.16.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.16.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25934"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-10T00:28:53Z",
"nvd_published_at": "2026-02-09T23:16:05Z",
"severity": "MODERATE"
},
"details": "### Impact \n\nA vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`.\n\nFor context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly.\n\nNote that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.\n\n### Patches\n\nUsers should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Workarounds\n\nIn case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. \n\n### Credit\n\nThanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project.",
"id": "GHSA-37cx-329c-33x3",
"modified": "2026-02-10T02:57:13Z",
"published": "2026-02-10T00:28:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25934"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-git/go-git"
},
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/releases/tag/v5.16.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "go-git improperly verifies data integrity values for .idx and .pack files"
}
CVE-2025-61725 (GCVE-0-2025-61725)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-12-09 17:42
VLAI?
EPSS
Title
Excessive CPU consumption in ParseAddress in net/mail
Summary
The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
Severity ?
7.5 (High)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/mail |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Philippe Antoine (Catena cyber)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:44:00.658774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:44:03.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:14:05.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/mail",
"product": "net/mail",
"programRoutines": [
{
"name": "addrParser.consumeDomainLiteral"
},
{
"name": "AddressParser.Parse"
},
{
"name": "AddressParser.ParseList"
},
{
"name": "Header.AddressList"
},
{
"name": "ParseAddress"
},
{
"name": "ParseAddressList"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T17:42:06.541Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709860"
},
{
"url": "https://go.dev/issue/75680"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4006"
}
],
"title": "Excessive CPU consumption in ParseAddress in net/mail"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61725",
"datePublished": "2025-10-29T22:10:12.255Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2025-12-09T17:42:06.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55191 (GCVE-0-2025-55191)
Vulnerability from cvelistv5 – Published: 2025-09-30 22:52 – Updated: 2025-10-06 18:32
VLAI?
EPSS
Title
Repository Credentials Race Condition Crashes Argo CD Server
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
6.5 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:32:25.830089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:32:34.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.14.20"
},
{
"status": "affected",
"version": "= 3.2.0-rc1"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T22:52:19.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
},
{
"name": "https://github.com/argoproj/argo-cd/pull/6103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/pull/6103"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
}
],
"source": {
"advisory": "GHSA-g88p-r42r-ppp9",
"discovery": "UNKNOWN"
},
"title": "Repository Credentials Race Condition Crashes Argo CD Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55191",
"datePublished": "2025-09-30T22:52:19.838Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-10-06T18:32:34.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58188 (GCVE-0-2025-58188)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13
VLAI?
EPSS
Title
Panic when validating certificates with DSA public keys in crypto/x509
Summary
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Severity ?
7.5 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/x509 |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:23:42.371985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:24:08.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:38.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/x509",
"product": "crypto/x509",
"programRoutines": [
{
"name": "alreadyInChain"
},
{
"name": "Certificate.Verify"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-248: Uncaught Exception",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:14.143Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709853"
},
{
"url": "https://go.dev/issue/75675"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4013"
}
],
"title": "Panic when validating certificates with DSA public keys in crypto/x509"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58188",
"datePublished": "2025-10-29T22:10:14.143Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2025-11-04T21:13:38.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58189 (GCVE-0-2025-58189)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13
VLAI?
EPSS
Title
ALPN negotiation error contains attacker controlled information in crypto/tls
Summary
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Severity ?
5.3 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/tls |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
National Cyber Security Centre Finland
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:50:48.668117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:51:22.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:39.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/tls",
"product": "crypto/tls",
"programRoutines": [
{
"name": "negotiateALPN"
},
{
"name": "Conn.Handshake"
},
{
"name": "Conn.HandshakeContext"
},
{
"name": "Conn.Read"
},
{
"name": "Conn.Write"
},
{
"name": "Dial"
},
{
"name": "DialWithDialer"
},
{
"name": "Dialer.Dial"
},
{
"name": "Dialer.DialContext"
},
{
"name": "QUICConn.Start"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "National Cyber Security Centre Finland"
}
],
"descriptions": [
{
"lang": "en",
"value": "When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:12.947Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/707776"
},
{
"url": "https://go.dev/issue/75652"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4008"
}
],
"title": "ALPN negotiation error contains attacker controlled information in crypto/tls"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58189",
"datePublished": "2025-10-29T22:10:12.947Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2025-11-04T21:13:39.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61724 (GCVE-0-2025-61724)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:14
VLAI?
EPSS
Title
Excessive CPU consumption in Reader.ReadResponse in net/textproto
Summary
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
Severity ?
5.3 (Medium)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/textproto |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:22:06.282935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:22:16.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:14:03.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/textproto",
"product": "net/textproto",
"programRoutines": [
{
"name": "Reader.ReadResponse"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:14.609Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709859"
},
{
"url": "https://go.dev/issue/75716"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4015"
}
],
"title": "Excessive CPU consumption in Reader.ReadResponse in net/textproto"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61724",
"datePublished": "2025-10-29T22:10:14.609Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2025-11-04T21:14:03.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61723 (GCVE-0-2025-61723)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:14
VLAI?
EPSS
Title
Quadratic complexity when parsing some invalid inputs in encoding/pem
Summary
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Severity ?
7.5 (High)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | encoding/pem |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T20:35:15.752525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:48:59.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:14:02.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "encoding/pem",
"product": "encoding/pem",
"programRoutines": [
{
"name": "getLine"
},
{
"name": "Decode"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:13.220Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/75676"
},
{
"url": "https://go.dev/cl/709858"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4009"
}
],
"title": "Quadratic complexity when parsing some invalid inputs in encoding/pem"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61723",
"datePublished": "2025-10-29T22:10:13.220Z",
"dateReserved": "2025-09-30T15:05:03.604Z",
"dateUpdated": "2025-11-04T21:14:02.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55190 (GCVE-0-2025-55190)
Vulnerability from cvelistv5 – Published: 2025-09-04 22:37 – Updated: 2025-09-05 16:07
VLAI?
EPSS
Title
Argo CD: Project API Token Exposes Repository Credentials
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Severity ?
10 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T16:07:11.324151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T16:07:25.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.9"
},
{
"status": "affected",
"version": "\u003e= 2.14.0, \u003c 2.14.16"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.14"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T22:37:52.811Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8"
}
],
"source": {
"advisory": "GHSA-786q-9hcg-v9ff",
"discovery": "UNKNOWN"
},
"title": "Argo CD: Project API Token Exposes Repository Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55190",
"datePublished": "2025-09-04T22:37:52.811Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-09-05T16:07:25.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58183 (GCVE-0-2025-58183)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13
VLAI?
EPSS
Title
Unbounded allocation when parsing GNU sparse map in archive/tar
Summary
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | archive/tar |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Harshit Gupta (Mr HAX)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:22:41.219110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:37.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:32.834Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "archive/tar",
"product": "archive/tar",
"programRoutines": [
{
"name": "readGNUSparseMap1x0"
},
{
"name": "Reader.Next"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Harshit Gupta (Mr HAX)"
}
],
"descriptions": [
{
"lang": "en",
"value": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:14.376Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/709861"
},
{
"url": "https://go.dev/issue/75677"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"title": "Unbounded allocation when parsing GNU sparse map in archive/tar"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58183",
"datePublished": "2025-10-29T22:10:14.376Z",
"dateReserved": "2025-08-27T14:50:58.691Z",
"dateUpdated": "2025-11-04T21:13:32.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59537 (GCVE-0-2025-59537)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:01 – Updated: 2025-10-02 15:54
VLAI?
EPSS
Title
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59537",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:35:13.081671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:17.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.8.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:01:36.519Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
}
],
"source": {
"advisory": "GHSA-wp4p-9pxh-cgx2",
"discovery": "UNKNOWN"
},
"title": "argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59537",
"datePublished": "2025-10-01T21:01:36.519Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:17.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59538 (GCVE-0-2025-59538)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:09 – Updated: 2025-10-02 15:54
VLAI?
EPSS
Title
Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:32:22.380180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:54:11.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0-rc1, \u003c 2.14.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:09:08.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
}
],
"source": {
"advisory": "GHSA-gpx4-37g2-c8pv",
"discovery": "UNKNOWN"
},
"title": "Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59538",
"datePublished": "2025-10-01T21:09:08.870Z",
"dateReserved": "2025-09-17T17:04:20.373Z",
"dateUpdated": "2025-10-02T15:54:11.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58185 (GCVE-0-2025-58185)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13
VLAI?
EPSS
Title
Parsing DER payload can cause memory exhaustion in encoding/asn1
Summary
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | encoding/asn1 |
Affected:
0 , < 1.24.8
(semver)
Affected: 1.25.0 , < 1.25.2 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:25:15.876220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:25:43.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:34.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "encoding/asn1",
"product": "encoding/asn1",
"programRoutines": [
{
"name": "parseSequenceOf"
},
{
"name": "Unmarshal"
},
{
"name": "UnmarshalWithParams"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.2",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T22:10:13.682Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/75671"
},
{
"url": "https://go.dev/cl/709856"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4011"
}
],
"title": "Parsing DER payload can cause memory exhaustion in encoding/asn1"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58185",
"datePublished": "2025-10-29T22:10:13.682Z",
"dateReserved": "2025-08-27T14:50:58.691Z",
"dateUpdated": "2025-11-04T21:13:34.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58187 (GCVE-0-2025-58187)
Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-20 22:23
VLAI?
EPSS
Title
Quadratic complexity when checking name constraints in crypto/x509
Summary
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Severity ?
7.5 (High)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/x509 |
Affected:
0 , < 1.24.9
(semver)
Affected: 1.25.0 , < 1.25.3 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T19:51:43.036632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:52:04.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:36.780Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/x509",
"product": "crypto/x509",
"programRoutines": [
{
"name": "parseSANExtension"
},
{
"name": "domainToReverseLabels"
},
{
"name": "CertPool.AppendCertsFromPEM"
},
{
"name": "Certificate.CheckCRLSignature"
},
{
"name": "Certificate.CheckSignature"
},
{
"name": "Certificate.CheckSignatureFrom"
},
{
"name": "Certificate.CreateCRL"
},
{
"name": "Certificate.Verify"
},
{
"name": "CertificateRequest.CheckSignature"
},
{
"name": "CreateCertificate"
},
{
"name": "CreateCertificateRequest"
},
{
"name": "CreateRevocationList"
},
{
"name": "DecryptPEMBlock"
},
{
"name": "EncryptPEMBlock"
},
{
"name": "MarshalECPrivateKey"
},
{
"name": "MarshalPKCS1PrivateKey"
},
{
"name": "MarshalPKCS1PublicKey"
},
{
"name": "MarshalPKCS8PrivateKey"
},
{
"name": "MarshalPKIXPublicKey"
},
{
"name": "ParseCRL"
},
{
"name": "ParseCertificate"
},
{
"name": "ParseCertificateRequest"
},
{
"name": "ParseCertificates"
},
{
"name": "ParseDERCRL"
},
{
"name": "ParseECPrivateKey"
},
{
"name": "ParsePKCS1PrivateKey"
},
{
"name": "ParsePKCS1PublicKey"
},
{
"name": "ParsePKCS8PrivateKey"
},
{
"name": "ParsePKIXPublicKey"
},
{
"name": "ParseRevocationList"
},
{
"name": "RevocationList.CheckSignatureFrom"
},
{
"name": "SetFallbackRoots"
},
{
"name": "SystemCertPool"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.3",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T22:23:47.179Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/75681"
},
{
"url": "https://go.dev/cl/709854"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4007"
}
],
"title": "Quadratic complexity when checking name constraints in crypto/x509"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58187",
"datePublished": "2025-10-29T22:10:12.624Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2025-11-20T22:23:47.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…