     stdlib 1.25.6 (golang)
pkg:golang/stdlib@1.25.6
# Dockerfile (38:38)
COPY --from=deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
| Affected range | >=1.25.0-0
<1.25.7
| | Fixed version | 1.25.7 | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.022% | | EPSS Percentile | 6th percentile |
Description
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.020% | | EPSS Percentile | 6th percentile |
Description
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.054% | | EPSS Percentile | 17th percentile |
Description
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.017% | | EPSS Percentile | 4th percentile |
Description
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.019% | | EPSS Percentile | 5th percentile |
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.022% | | EPSS Percentile | 6th percentile |
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
| Affected range | <1.25.8 | | Fixed version | 1.25.8 | | EPSS Score | 0.044% | | EPSS Percentile | 14th percentile |
Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.010% | | EPSS Percentile | 1st percentile |
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
If a trusted template author were to write a
</blockquote>
</details>
<a href="https://scout.docker.com/v/CVE-2026-39823?s=golang&n=stdlib&t=golang&vr=%3C1.25.10"><img alt="medium : CVE--2026--39823" src="https://img.shields.io/badge/CVE--2026--39823-lightgrey?label=medium%20&labelColor=fbb552"/></a>
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.010% | | EPSS Percentile | 1st percentile |
Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.011% | | EPSS Percentile | 1st percentile |
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
| Affected range | <1.25.8 | | Fixed version | 1.25.8 | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".
A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
| Affected range | <1.25.9 | | Fixed version | 1.25.9 | | EPSS Score | 0.004% | | EPSS Percentile | 0th percentile |
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
| Affected range | <1.25.10 | | Fixed version | 1.25.10 | | EPSS Score | 0.012% | | EPSS Percentile | 2nd percentile |
Description
ReverseProxy can forward queries containing parameters not visible to Rewrite functions.
When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.
For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
| Affected range | <1.25.8 | | Fixed version | 1.25.8 | | EPSS Score | 0.007% | | EPSS Percentile | 1st percentile |
Description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.
The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
| Affected range | <1.25.11 | | Fixed version | 1.25.11 |
Description
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
| Affected range | <1.25.11 | | Fixed version | 1.25.11 |
Description
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
| Affected range | <1.25.11 | | Fixed version | 1.25.11 |
Description
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.
With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
|
openssl 
