Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:27

Modified

2026-05-11 14:11

Summary

Security fixes for CVE-2025-11065, CVE-2025-47907, CVE-2025-47911, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-58190, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-32280, CVE-2026-32281, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-2464-8j7c-4cjm applied in versions: 2.2.1-r0, 2.2.1-r1, 2.2.1-r4

Details

Multiple security vulnerabilities affect the spark-operator package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-11065	WEB
	https://osv.dev/vulnerability/CVE-2025-47907	WEB
	https://osv.dev/vulnerability/CVE-2025-47911	WEB
	https://osv.dev/vulnerability/CVE-2025-58183	WEB
	https://osv.dev/vulnerability/CVE-2025-58185	WEB
	https://osv.dev/vulnerability/CVE-2025-58187	WEB
	https://osv.dev/vulnerability/CVE-2025-58188	WEB
	https://osv.dev/vulnerability/CVE-2025-58189	WEB
	https://osv.dev/vulnerability/CVE-2025-58190	WEB
	https://osv.dev/vulnerability/CVE-2025-61723	WEB
	https://osv.dev/vulnerability/CVE-2025-61724	WEB
	https://osv.dev/vulnerability/CVE-2025-61725	WEB
	https://osv.dev/vulnerability/CVE-2025-61726	WEB
	https://osv.dev/vulnerability/CVE-2025-61727	WEB
	https://osv.dev/vulnerability/CVE-2025-61728	WEB
	https://osv.dev/vulnerability/CVE-2025-61729	WEB
	https://osv.dev/vulnerability/CVE-2025-61730	WEB
	https://osv.dev/vulnerability/CVE-2025-61732	WEB
	https://osv.dev/vulnerability/CVE-2025-68119	WEB
	https://osv.dev/vulnerability/CVE-2025-68121	WEB
	https://osv.dev/vulnerability/CVE-2026-32280	WEB
	https://osv.dev/vulnerability/CVE-2026-32281	WEB
	https://osv.dev/vulnerability/CVE-2026-32289	WEB
	https://osv.dev/vulnerability/CVE-2026-33811	WEB
	https://osv.dev/vulnerability/CVE-2026-33814	WEB
	https://osv.dev/vulnerability/CVE-2026-39817	WEB
	https://osv.dev/vulnerability/CVE-2026-39819	WEB
	https://osv.dev/vulnerability/CVE-2026-39820	WEB
	https://osv.dev/vulnerability/CVE-2026-39823	WEB
	https://osv.dev/vulnerability/CVE-2026-39825	WEB
	https://osv.dev/vulnerability/CVE-2026-39826	WEB
	https://osv.dev/vulnerability/CVE-2026-39836	WEB
	https://osv.dev/vulnerability/CVE-2026-42499	WEB
	https://osv.dev/vulnerability/CVE-2026-42501	WEB
	https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-11065	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-47907	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-47911	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58183	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58185	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58187	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58188	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58189	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58190	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61723	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61724	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61725	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61726	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61727	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61728	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61729	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61730	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61732	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-68119	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-68121	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32280	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32281	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32289	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33811	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33814	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39817	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39819	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39820	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39823	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39825	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39826	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39836	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42499	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42501	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "spark-operator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1-r4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the spark-operator package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-QU88766",
  "modified": "2026-05-11T14:11:13Z",
  "published": "2026-05-18T13:27:21.883786Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-QU88766.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-11065"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47907"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47911"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61726"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61727"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61728"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61729"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61730"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61732"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-68119"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42501"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11065"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47911"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61727"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61732"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-11065, CVE-2025-47907, CVE-2025-47911, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-58190, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-32280, CVE-2026-32281, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-2464-8j7c-4cjm applied in versions: 2.2.1-r0, 2.2.1-r1, 2.2.1-r4",
  "upstream": [
    "CVE-2025-11065",
    "CVE-2025-47907",
    "CVE-2025-47911",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-58190",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "CVE-2025-61726",
    "CVE-2025-61727",
    "CVE-2025-61728",
    "CVE-2025-61729",
    "CVE-2025-61730",
    "CVE-2025-61732",
    "CVE-2025-68119",
    "CVE-2025-68121",
    "CVE-2026-32280",
    "CVE-2026-32281",
    "CVE-2026-32289",
    "CVE-2026-33811",
    "CVE-2026-33814",
    "CVE-2026-39817",
    "CVE-2026-39819",
    "CVE-2026-39820",
    "CVE-2026-39823",
    "CVE-2026-39825",
    "CVE-2026-39826",
    "CVE-2026-39836",
    "CVE-2026-42499",
    "CVE-2026-42501",
    "ghsa-2464-8j7c-4cjm"
  ]
}

CVE-2025-11065 (GCVE-0-2025-11065)

Vulnerability from cvelistv5 – Published: 2026-01-26 19:36 – Updated: 2026-02-03 19:21

Title

Github.com/go-viper/mapstructure/v2: go-viper's mapstructure may leak sensitive information in logs in github.com/go-viper/mapstructure

Summary

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Assigner

redhat

References

4 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2025-11065	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2391829	issue-trackingx_refsource_REDHAT
https://github.com/go-viper/mapstructure/commit/7…
https://github.com/go-viper/mapstructure/security…

Impacted products

43 products

Vendor	Product	Version
		Affected: 0 , < 2.4.0 (semver)
Red Hat	OpenShift Pipelines	cpe:/a:redhat:openshift_pipelines:1
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat Certification for Red Hat Enterprise Linux 8	cpe:/a:redhat:certifications:1::el8
Red Hat	Red Hat Certification Program for Red Hat Enterprise Linux 9	cpe:/a:redhat:certifications:9
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Dev Spaces	cpe:/a:redhat:openshift_devspaces:3
Red Hat	Red Hat OpenShift Dev Spaces	cpe:/a:redhat:openshift_devspaces:3
Red Hat	Red Hat OpenShift Dev Spaces	cpe:/a:redhat:openshift_devspaces:3
Red Hat	Red Hat OpenShift distributed tracing 3	cpe:/a:redhat:openshift_distributed_tracing:3
Red Hat	Red Hat OpenShift GitOps	cpe:/a:redhat:openshift_gitops:1
Red Hat	Red Hat OpenShift GitOps	cpe:/a:redhat:openshift_gitops:1
Red Hat	Red Hat Trusted Application Pipeline	cpe:/a:redhat:trusted_application_pipeline:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Zero Trust Workload Identity Manager - Tech Preview	cpe:/a:redhat:zero_trust_workload_identity_manager:0
Red Hat	Zero Trust Workload Identity Manager - Tech Preview	cpe:/a:redhat:zero_trust_workload_identity_manager:0
Red Hat	Zero Trust Workload Identity Manager - Tech Preview	cpe:/a:redhat:zero_trust_workload_identity_manager:0
Red Hat	Zero Trust Workload Identity Manager - Tech Preview	cpe:/a:redhat:zero_trust_workload_identity_manager:0

Date Public ?

2025-08-29 14:52

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11065",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T19:21:11.932692Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T19:21:17.175Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/go-viper/mapstructure/",
          "defaultStatus": "unaffected",
          "packageName": "github.com/go-viper/mapstructure/v2",
          "versions": [
            {
              "lessThan": "2.4.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_pipelines:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-pipelines-client",
          "product": "OpenShift Pipelines",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:acm:2"
          ],
          "defaultStatus": "affected",
          "packageName": "rhacm2/acm-grafana-rhel9",
          "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:acm:2"
          ],
          "defaultStatus": "affected",
          "packageName": "rhacm2/submariner-rhel9-operator",
          "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-central-db-rhel8",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-main-rhel8",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-rhel8-operator",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "packageName": "advanced-cluster-security/rhacs-scanner-v4-rhel8",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:certifications:1::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-certification-preflight",
          "product": "Red Hat Certification for Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:certifications:9"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-certification-preflight",
          "product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "gvisor-tap-vsock",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "opentelemetry-collector",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "toolbox",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "gvisor-tap-vsock",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "opentelemetry-collector",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "toolbox",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-model-registry-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-rhel9-operator",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "microshift",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-helm-operator",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-helm-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "podman",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_devspaces:3"
          ],
          "defaultStatus": "affected",
          "packageName": "devspaces/traefik-rhel9",
          "product": "Red Hat OpenShift Dev Spaces",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_devspaces:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "devspaces/udi-base-rhel9",
          "product": "Red Hat OpenShift Dev Spaces",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_devspaces:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "devspaces/udi-rhel9",
          "product": "Red Hat OpenShift Dev Spaces",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_distributed_tracing:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhosdt/opentelemetry-collector-rhel8",
          "product": "Red Hat OpenShift distributed tracing 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/argocd-rhel8",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/argocd-rhel9",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_application_pipeline:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtap-task-runner/rhtap-task-runner-rhel9",
          "product": "Red Hat Trusted Application Pipeline",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/cosign-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/fulcio-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/gitsign-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/rekor-backfill-redis-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/rekor-cli-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/rekor-server-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1"
          ],
          "defaultStatus": "affected",
          "packageName": "rhtas/timestamp-authority-rhel9",
          "product": "Red Hat Trusted Artifact Signer",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
          ],
          "defaultStatus": "affected",
          "packageName": "zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9",
          "product": "Zero Trust Workload Identity Manager - Tech Preview",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
          ],
          "defaultStatus": "affected",
          "packageName": "zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9",
          "product": "Zero Trust Workload Identity Manager - Tech Preview",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
          ],
          "defaultStatus": "affected",
          "packageName": "zero-trust-workload-identity-manager/spiffe-spire-server-rhel9",
          "product": "Zero Trust Workload Identity Manager - Tech Preview",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
          ],
          "defaultStatus": "affected",
          "packageName": "zero-trust-workload-identity-manager/zero-trust-workload-identity-manager-rhel9",
          "product": "Zero Trust Workload Identity Manager - Tech Preview",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-08-29T14:52:35.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T19:36:28.900Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-11065"
        },
        {
          "name": "RHBZ#2391829",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391829"
        },
        {
          "url": "https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c"
        },
        {
          "url": "https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-08-29T17:01:44.012Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-08-29T14:52:35.000Z",
          "value": "Made public."
        }
      ],
      "title": "Github.com/go-viper/mapstructure/v2: go-viper\u0027s mapstructure may leak sensitive information in logs in github.com/go-viper/mapstructure",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-11065",
    "datePublished": "2026-01-26T19:36:28.900Z",
    "dateReserved": "2025-09-26T12:01:08.227Z",
    "dateUpdated": "2026-02-03T19:21:17.175Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5 – Published: 2025-08-07 15:25 – Updated: 2025-11-04 21:10

Title

Incorrect results returned from Rows.Scan in database/sql

Summary

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

References

4 references

URL	Tags
https://go.dev/cl/693735
https://go.dev/issue/74831
https://groups.google.com/g/golang-announce/c/x5M…
https://pkg.go.dev/vuln/GO-2025-3849

Impacted products

1 product

Vendor	Product	Version
Go standard library	database/sql	Affected: 0 , < 1.23.12 (semver) Affected: 1.24.0 , < 1.24.6 (semver)

Credits

Spike Curtis from Coder

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T15:45:26.297503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-07T15:48:03.634Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "database/sql",
          "product": "database/sql",
          "programRoutines": [
            {
              "name": "Rows.Scan"
            },
            {
              "name": "Row.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Spike Curtis from Coder"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T15:25:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "title": "Incorrect results returned from Rows.Scan in database/sql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47907",
    "datePublished": "2025-08-07T15:25:30.704Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2025-11-04T21:10:56.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47911 (GCVE-0-2025-47911)

Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:23

Title

Quadratic parsing complexity in golang.org/x/net/html

Summary

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/709876
https://github.com/golang/vulndb/issues/4440
https://groups.google.com/g/golang-announce/c/jnQ…
https://pkg.go.dev/vuln/GO-2026-4440

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.45.0 (semver)

Credits

Guido Vranken Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47911",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:23:40.307728Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T15:23:55.509Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.45.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Guido Vranken"
        },
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:48:44.562Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/709876"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4440"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4440"
        }
      ],
      "title": "Quadratic parsing complexity in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47911",
    "datePublished": "2026-02-05T17:48:44.562Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2026-02-12T15:23:55.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58183 (GCVE-0-2025-58183)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

Unbounded allocation when parsing GNU sparse map in archive/tar

Summary

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/709861
https://go.dev/issue/75677
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4014

Impacted products

1 product

Vendor	Product	Version
Go standard library	archive/tar	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Harshit Gupta (Mr HAX)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58183",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:22:41.219110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:37.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:32.834Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/tar",
          "product": "archive/tar",
          "programRoutines": [
            {
              "name": "readGNUSparseMap1x0"
            },
            {
              "name": "Reader.Next"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Harshit Gupta (Mr HAX)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:14.376Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/709861"
        },
        {
          "url": "https://go.dev/issue/75677"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4014"
        }
      ],
      "title": "Unbounded allocation when parsing GNU sparse map in archive/tar"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58183",
    "datePublished": "2025-10-29T22:10:14.376Z",
    "dateReserved": "2025-08-27T14:50:58.691Z",
    "dateUpdated": "2025-11-04T21:13:32.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58185 (GCVE-0-2025-58185)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

Parsing DER payload can cause memory exhaustion in encoding/asn1

Summary

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/issue/75671
https://go.dev/cl/709856
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4011

Impacted products

1 product

Vendor	Product	Version
Go standard library	encoding/asn1	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58185",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:25:15.876220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-30T14:25:43.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:34.163Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "encoding/asn1",
          "product": "encoding/asn1",
          "programRoutines": [
            {
              "name": "parseSequenceOf"
            },
            {
              "name": "Unmarshal"
            },
            {
              "name": "UnmarshalWithParams"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:13.682Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/75671"
        },
        {
          "url": "https://go.dev/cl/709856"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4011"
        }
      ],
      "title": "Parsing DER payload can cause memory exhaustion in encoding/asn1"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58185",
    "datePublished": "2025-10-29T22:10:13.682Z",
    "dateReserved": "2025-08-27T14:50:58.691Z",
    "dateUpdated": "2025-11-04T21:13:34.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58187 (GCVE-0-2025-58187)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-20 22:23

Title

Quadratic complexity when checking name constraints in crypto/x509

Summary

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/issue/75681
https://go.dev/cl/709854
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4007

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.24.9 (semver) Affected: 1.25.0 , < 1.25.3 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58187",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T19:51:43.036632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:52:04.234Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:36.780Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "parseSANExtension"
            },
            {
              "name": "domainToReverseLabels"
            },
            {
              "name": "CertPool.AppendCertsFromPEM"
            },
            {
              "name": "Certificate.CheckCRLSignature"
            },
            {
              "name": "Certificate.CheckSignature"
            },
            {
              "name": "Certificate.CheckSignatureFrom"
            },
            {
              "name": "Certificate.CreateCRL"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "CertificateRequest.CheckSignature"
            },
            {
              "name": "CreateCertificate"
            },
            {
              "name": "CreateCertificateRequest"
            },
            {
              "name": "CreateRevocationList"
            },
            {
              "name": "DecryptPEMBlock"
            },
            {
              "name": "EncryptPEMBlock"
            },
            {
              "name": "MarshalECPrivateKey"
            },
            {
              "name": "MarshalPKCS1PrivateKey"
            },
            {
              "name": "MarshalPKCS1PublicKey"
            },
            {
              "name": "MarshalPKCS8PrivateKey"
            },
            {
              "name": "MarshalPKIXPublicKey"
            },
            {
              "name": "ParseCRL"
            },
            {
              "name": "ParseCertificate"
            },
            {
              "name": "ParseCertificateRequest"
            },
            {
              "name": "ParseCertificates"
            },
            {
              "name": "ParseDERCRL"
            },
            {
              "name": "ParseECPrivateKey"
            },
            {
              "name": "ParsePKCS1PrivateKey"
            },
            {
              "name": "ParsePKCS1PublicKey"
            },
            {
              "name": "ParsePKCS8PrivateKey"
            },
            {
              "name": "ParsePKIXPublicKey"
            },
            {
              "name": "ParseRevocationList"
            },
            {
              "name": "RevocationList.CheckSignatureFrom"
            },
            {
              "name": "SetFallbackRoots"
            },
            {
              "name": "SystemCertPool"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.3",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T22:23:47.179Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/75681"
        },
        {
          "url": "https://go.dev/cl/709854"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4007"
        }
      ],
      "title": "Quadratic complexity when checking name constraints in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58187",
    "datePublished": "2025-10-29T22:10:12.624Z",
    "dateReserved": "2025-08-27T14:50:58.692Z",
    "dateUpdated": "2025-11-20T22:23:47.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58188 (GCVE-0-2025-58188)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

Panic when validating certificates with DSA public keys in crypto/x509

Summary

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

References

4 references

URL	Tags
https://go.dev/cl/709853
https://go.dev/issue/75675
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4013

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58188",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:23:42.371985Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-30T14:24:08.688Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:38.109Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "alreadyInChain"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-248: Uncaught Exception",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:14.143Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/709853"
        },
        {
          "url": "https://go.dev/issue/75675"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4013"
        }
      ],
      "title": "Panic when validating certificates with DSA public keys in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58188",
    "datePublished": "2025-10-29T22:10:14.143Z",
    "dateReserved": "2025-08-27T14:50:58.692Z",
    "dateUpdated": "2025-11-04T21:13:38.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58189 (GCVE-0-2025-58189)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

ALPN negotiation error contains attacker controlled information in crypto/tls

Summary

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-117 - Improper Output Neutralization for Logs

Assigner

References

4 references

URL	Tags
https://go.dev/cl/707776
https://go.dev/issue/75652
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4008

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/tls	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

National Cyber Security Centre Finland

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58189",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T19:50:48.668117Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:51:22.704Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:39.428Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "negotiateALPN"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "National Cyber Security Centre Finland"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-117: Improper Output Neutralization for Logs",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:12.947Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/707776"
        },
        {
          "url": "https://go.dev/issue/75652"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4008"
        }
      ],
      "title": "ALPN negotiation error contains attacker controlled information in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58189",
    "datePublished": "2025-10-29T22:10:12.947Z",
    "dateReserved": "2025-08-27T14:50:58.692Z",
    "dateUpdated": "2025-11-04T21:13:39.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58190 (GCVE-0-2025-58190)

Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22

Title

Infinite parsing loop in golang.org/x/net

Summary

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-835 - Loop with Unreachable Exit Condition

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/jnQ…
https://github.com/golang/vulndb/issues/4441
https://go.dev/cl/709875
https://pkg.go.dev/vuln/GO-2026-4441

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.45.0 (semver)

Credits

Guido Vranken

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58190",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:22:10.801204Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T15:22:37.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "inRowIM"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.45.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Guido Vranken"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-835: Loop with Unreachable Exit Condition",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:48:44.693Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4441"
        },
        {
          "url": "https://go.dev/cl/709875"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4441"
        }
      ],
      "title": "Infinite parsing loop in golang.org/x/net"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58190",
    "datePublished": "2026-02-05T17:48:44.693Z",
    "dateReserved": "2025-08-27T14:50:58.692Z",
    "dateUpdated": "2026-02-12T15:22:37.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61723 (GCVE-0-2025-61723)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:14

Title

Quadratic complexity when parsing some invalid inputs in encoding/pem

Summary

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/issue/75676
https://go.dev/cl/709858
https://groups.google.com/g/golang-announce/c/4Em…
https://pkg.go.dev/vuln/GO-2025-4009

Impacted products

1 product

Vendor	Product	Version
Go standard library	encoding/pem	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61723",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T20:35:15.752525Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T14:48:59.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:14:02.531Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "encoding/pem",
          "product": "encoding/pem",
          "programRoutines": [
            {
              "name": "getLine"
            },
            {
              "name": "Decode"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:13.220Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/75676"
        },
        {
          "url": "https://go.dev/cl/709858"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4009"
        }
      ],
      "title": "Quadratic complexity when parsing some invalid inputs in encoding/pem"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61723",
    "datePublished": "2025-10-29T22:10:13.220Z",
    "dateReserved": "2025-09-30T15:05:03.604Z",
    "dateUpdated": "2025-11-04T21:14:02.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-11065 (GCVE-0-2025-11065)

CVE-2025-47907 (GCVE-0-2025-47907)

CVE-2025-47911 (GCVE-0-2025-47911)

CVE-2025-58183 (GCVE-0-2025-58183)

CVE-2025-58185 (GCVE-0-2025-58185)

CVE-2025-58187 (GCVE-0-2025-58187)

CVE-2025-58188 (GCVE-0-2025-58188)

CVE-2025-58189 (GCVE-0-2025-58189)

CVE-2025-58190 (GCVE-0-2025-58190)

CVE-2025-61723 (GCVE-0-2025-61723)

Tags

Sightings

Nomenclature