Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
GO-2024-2825
- CVE-2024-24787
- Affects: cmd/go
- Published: May 08, 2024
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
GO-2024-2824
- CVE-2024-24788
- Affects: net
- Published: May 07, 2024
- Modified: May 08, 2024
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
GO-2024-2819
- CVE-2024-32972, GHSA-4xc9-8hmq-j652
- Affects: github.com/ethereum/go-ethereum
- Published: May 08, 2024
A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory.
GO-2024-2818
- CVE-2024-34478, GHSA-3jgf-r68h-xfqm
- Affects: github.com/btcsuite/btcd
- Published: May 08, 2024
Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.
GO-2024-2744
- GHSA-x883-2vmg-xwf7
- Affects: github.com/authelia/authelia/v4
- Published: Apr 26, 2024
If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to.
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.