Occurrences: 93124
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf....
Occurrences: 59136
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the c...
Occurrences: 58372
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can ...
Occurrences: 58315
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to i...
Occurrences: 55753
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEA...
Occurrences: 54345
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses t...
Occurrences: 47834
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted...
Occurrences: 44460
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests....
Occurrences: 43650
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memo...
Occurrences: 43594
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server....
Occurrences: 41276
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming t...
Occurrences: 40666
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The iss...
Occurrences: 34737
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the C...
Occurrences: 34737
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This ma...
Occurrences: 34586
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the comm...
PURL: pkg:golang/github.com/beorn7/perks@v1.0.1
PURL: pkg:golang/github.com/pkg/errors@v0.9.1
PURL: pkg:golang/github.com/spf13/pflag@v1.0.5
PURL: pkg:golang/gopkg.in/yaml.v3@v3.0.1
PURL: pkg:golang/github.com/prometheus/client_model@v0.2.0
PURL: pkg:golang/github.com/mitchellh/mapstructure@v1.5.0
PURL: pkg:golang/github.com/hashicorp/hcl@v1.0.0
PURL: pkg:golang/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0
PURL: pkg:golang/github.com/cespare/xxhash/v2@v2.2.0
PURL: pkg:golang/github.com/russross/blackfriday/v2@v2.1.0
PURL: pkg:golang/github.com/prometheus/procfs@v0.7.3
PURL: pkg:golang/github.com/cpuguy83/go-md2man/v2@v2.0.2
PURL: pkg:golang/github.com/golang/protobuf@v1.5.3
PURL: pkg:golang/github.com/matttproud/golang_protobuf_extensions@v1.0.1
PURL: pkg:golang/gopkg.in/ini.v1@v1.67.0