Created
September 26, 2025 20:55
-
-
Save sozercan/945e4ebda53751b02b09f8a97ce253fc to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@context": "https://openvex.dev/ns/v0.2.0", | |
| "@id": "govulncheck/vex:e47eb4a0ed7d490a5a94dfb6f85150e2244773b6977de80e8dc620dbd3d30a72", | |
| "author": "Unknown Author", | |
| "timestamp": "2025-09-26T20:54:41.812737311Z", | |
| "version": 1, | |
| "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck", | |
| "statements": [ | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2022-0635", | |
| "name": "GO-2022-0635", | |
| "description": "In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go", | |
| "aliases": [ | |
| "CVE-2020-8912", | |
| "GHSA-7f33-f4f5-xwgw" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Faws%2Faws-sdk-go@v1.54.6" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_present", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2022-0646", | |
| "name": "GO-2022-0646", | |
| "description": "CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go", | |
| "aliases": [ | |
| "CVE-2020-8911", | |
| "GHSA-f5pg-7wfw-84q9" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Faws%2Faws-sdk-go@v1.54.6" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_present", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2024-3321", | |
| "name": "GO-2024-3321", | |
| "description": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto", | |
| "aliases": [ | |
| "CVE-2024-45337", | |
| "GHSA-v778-237x-gjrc" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.27.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2024-3333", | |
| "name": "GO-2024-3333", | |
| "description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html", | |
| "aliases": [ | |
| "CVE-2024-45338", | |
| "GHSA-w32m-9786-jp63" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.29.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3367", | |
| "name": "GO-2025-3367", | |
| "description": "Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git", | |
| "aliases": [ | |
| "CVE-2025-21614", | |
| "GHSA-r9px-m959-cxf4" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.12.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3368", | |
| "name": "GO-2025-3368", | |
| "description": "Argument Injection via the URL field in github.com/go-git/go-git", | |
| "aliases": [ | |
| "CVE-2025-21613", | |
| "GHSA-v725-9546-7q7m" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.12.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3487", | |
| "name": "GO-2025-3487", | |
| "description": "Potential denial of service in golang.org/x/crypto", | |
| "aliases": [ | |
| "CVE-2025-22869" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.27.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3488", | |
| "name": "GO-2025-3488", | |
| "description": "Unexpected memory consumption during token parsing in golang.org/x/oauth2", | |
| "aliases": [ | |
| "CVE-2025-22868" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Foauth2@v0.22.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3503", | |
| "name": "GO-2025-3503", | |
| "description": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net", | |
| "aliases": [ | |
| "CVE-2025-22870" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.29.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3527", | |
| "name": "GO-2025-3527", | |
| "description": "buildx allows a possible credential leakage to telemetry endpoint in github.com/docker/buildx", | |
| "aliases": [ | |
| "CVE-2025-0495", | |
| "GHSA-m4gq-fm9h-8q75" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fdocker%2Fbuildx@v0.17.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3528", | |
| "name": "GO-2025-3528", | |
| "description": "containerd has an integer overflow in User ID handling in github.com/containerd/containerd", | |
| "aliases": [ | |
| "CVE-2024-40635", | |
| "GHSA-265r-hfxg-fhmg" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@v1.7.22" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3595", | |
| "name": "GO-2025-3595", | |
| "description": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net", | |
| "aliases": [ | |
| "CVE-2025-22872" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.29.0" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3601", | |
| "name": "GO-2025-3601", | |
| "description": "Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination in helm.sh/helm", | |
| "aliases": [ | |
| "CVE-2025-32386", | |
| "GHSA-4hfp-h4cw-hj8p" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/helm.sh%2Fhelm%2Fv3@v3.16.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3602", | |
| "name": "GO-2025-3602", | |
| "description": "Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow in helm.sh/helm", | |
| "aliases": [ | |
| "CVE-2025-32387", | |
| "GHSA-5xqw-8hwv-wg92" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/helm.sh%2Fhelm%2Fv3@v3.16.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3660", | |
| "name": "GO-2025-3660", | |
| "description": "OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa", | |
| "aliases": [ | |
| "CVE-2025-46569", | |
| "GHSA-6m8w-jc87-6cr7" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fopen-policy-agent%2Fopa@v0.68.1-0.20240903211041-76f7038ea2d1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_present", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3754", | |
| "name": "GO-2025-3754", | |
| "description": "CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl", | |
| "aliases": [ | |
| "GHSA-2x5j-vhc8-9cwm" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fcloudflare%2Fcircl@v1.3.8" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3802", | |
| "name": "GO-2025-3802", | |
| "description": "Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm", | |
| "aliases": [ | |
| "CVE-2025-53547", | |
| "GHSA-557j-xg8c-q2mm" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/helm.sh%2Fhelm%2Fv3@v3.16.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3829", | |
| "name": "GO-2025-3829", | |
| "description": "Moby firewalld reload removes bridge network isolation in github.com/docker/docker", | |
| "aliases": [ | |
| "CVE-2025-54410", | |
| "GHSA-4vq8-7jfc-9cvp" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fdocker%2Fdocker@v27.3.1+incompatible" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3887", | |
| "name": "GO-2025-3887", | |
| "description": "Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion in helm.sh/helm", | |
| "aliases": [ | |
| "CVE-2025-55199", | |
| "GHSA-9h84-qmv7-982p" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/helm.sh%2Fhelm%2Fv3@v3.16.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3888", | |
| "name": "GO-2025-3888", | |
| "description": "Helm May Panic Due To Incorrect YAML Content in helm.sh/helm", | |
| "aliases": [ | |
| "CVE-2025-55198", | |
| "GHSA-f9f8-9pmf-xv68" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/helm.sh%2Fhelm%2Fv3@v3.16.1" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3892", | |
| "name": "GO-2025-3892", | |
| "description": "HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter", | |
| "aliases": [ | |
| "CVE-2025-8959", | |
| "GHSA-wjrx-6529-hcj3" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fhashicorp%2Fgo-getter@v1.7.6" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "impact_statement": "Govulncheck determined that the vulnerable code isn't called" | |
| }, | |
| { | |
| "vulnerability": { | |
| "@id": "https://pkg.go.dev/vuln/GO-2025-3922", | |
| "name": "GO-2025-3922", | |
| "description": "Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz", | |
| "aliases": [ | |
| "CVE-2025-58058", | |
| "GHSA-jc7w-c686-c4v9" | |
| ] | |
| }, | |
| "products": [ | |
| { | |
| "@id": "Unknown Product", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:golang/github.com%2Fulikunitz%2Fxz@v0.5.12" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "affected" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment