ALT-PU-2025-7975-3
Closed vulnerabilities
Modified: 2026-04-20
BDU:2025-02476
Уязвимость пакетов net/http, x/net/proxy и x/net/http/httpproxy языка программирования Go, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2026-03-04
BDU:2025-03456
Уязвимость компонента crypto-elliptic языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2025-11-19
BDU:2025-04014
Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код
Modified: 2026-03-20
BDU:2025-07316
Уязвимость языка программирования Golang, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2026-04-15
CVE-2025-22866
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
Modified: 2026-04-16
CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Modified: 2026-04-15
CVE-2025-22871
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Modified: 2026-02-10
CVE-2025-22873
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
GHSA-5423-jcjm-2gpv
Traefik affected by Go HTTP Request Smuggling Vulnerability
- https://github.com/traefik/traefik/security/advisories/GHSA-5423-jcjm-2gpv
- https://nvd.nist.gov/vuln/detail/CVE-2025-22871
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik/releases/tag/v2.11.24
- https://github.com/traefik/traefik/releases/tag/v3.3.6
- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
Modified: 2025-11-18
GHSA-6jqf-mv7m-3q7p
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
Modified: 2025-10-24
GHSA-g9pc-8g42-g6vq
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
- https://nvd.nist.gov/vuln/detail/CVE-2025-22871
- https://github.com/roadrunner-server/roadrunner/issues/2166
- https://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa
- https://github.com/roadrunner-server/roadrunner
- https://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0
- https://go.dev/cl/652998
- https://go.dev/issue/71988
- https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
- https://pkg.go.dev/vuln/GO-2025-3563
- http://www.openwall.com/lists/oss-security/2025/04/04/4
Modified: 2025-05-10
GHSA-qxp5-gwg8-xv66
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
Closed bugs
Убрать node из зависимостей пакета golang