ALT-PU-2025-7975-3

BDU:2025-02476

MEDIUM4.4

Уязвимость пакетов net/http, x/net/proxy и x/net/http/httpproxy языка программирования Go, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации

Published: 2025-07-02Modified: 2026-04-20

CVSS 3.xMEDIUM 4.4

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVSS 2.0LOW 3.2

CVSS:2.0/AV:L/AC:L/Au:S/C:P/I:N/A:P

References

CVE-2025-22870

BDU:2025-03456

MEDIUM4.0

Уязвимость компонента crypto-elliptic языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2025-03-27Modified: 2026-03-04

CVSS 3.xMEDIUM 4.0

CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2025-22866

BDU:2025-04014

CRITICAL9.1

Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Published: 2025-04-09Modified: 2025-11-19

CVSS 3.xCRITICAL 9.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0CRITICAL 9.4

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N

References

CVE-2025-22871

BDU:2025-07316

MEDIUM4.4

Уязвимость языка программирования Golang, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-06-23Modified: 2026-03-20

CVSS 3.xMEDIUM 4.4

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS 2.0LOW 3.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2025-22873

CVE-2025-22866

MEDIUM4.0

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Published: 2025-02-06Modified: 2026-04-15

CVSS 3.xMEDIUM 4.0

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2025-22870

MEDIUM4.4

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Published: 2025-03-12Modified: 2026-04-16

CVSS 3.xMEDIUM 4.4

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

CVE-2025-22871

CRITICAL9.1

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Published: 2025-04-08Modified: 2026-04-15

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

CVE-2025-22873

LOW3.8

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Published: 2026-02-04Modified: 2026-02-10

CVSS 3.xLOW 3.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References

GHSA-5423-jcjm-2gpv

CRITICAL9.1

Traefik affected by Go HTTP Request Smuggling Vulnerability

Published: 2025-04-18

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-6jqf-mv7m-3q7p

CRITICAL9.1

File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency

Published: 2025-11-14Modified: 2025-11-18

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-g9pc-8g42-g6vq

CRITICAL9.1

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency

Published: 2025-04-09Modified: 2025-10-24

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-qxp5-gwg8-xv66

MEDIUM4.4

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Published: 2025-03-13Modified: 2026-04-24

CVSS 3.xMEDIUM 4.4

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

Package update golang in branch c10f2

Closed issues (12)

Уязвимость компонента crypto-elliptic языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальной информации

Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Traefik affected by Go HTTP Request Smuggling Vulnerability

File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Closed bugs (1)

Убрать node из зависимостей пакета golang