This page collects WhisperX intelligence signals tagged #go. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the widely used `golang.org/x/crypto` library has triggered an urgent, automated dependency update across countless Go projects. The flaw, tracked as CVE-2025-22869, specifically impacts SSH servers that implement file transfer protocols, exposing them to potential exploitation. Thi...
A critical security vulnerability in the widely-used gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. This weakness allows attackers to potentially circumvent intended ac...
一个存在于 gRPC-Go 库中的关键安全漏洞(CVE-2026-33186)已被确认,该漏洞允许攻击者在特定条件下绕过服务的授权控制。该漏洞影响所有低于 v1.79.3 版本的 `google.golang.org/grpc` 库。其核心风险在于,攻击者可以通过发送畸形的 HTTP/2 请求,利用对 `:path` 伪标头验证不当的缺陷,使请求路径绕过基于路径的授权策略检查,但仍能被路由到预期的处理程序。 该漏洞的利用条件较为苛刻,需要同时满足多个前提:服务必须运行 gRPC-Go 服务器;使用了基于路径的授权机制(如 `google.golang.org/grpc/authz` 或自定义拦截器);授权策略中包含了针对规范路径(...
A critical security vulnerability in the core routing logic of gRPC-Go has been patched, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive,...
Go 语言最流行的 Web 框架之一 Gin 的 v1.9.1 版本被安全扫描工具检出 8 个安全漏洞,其中最高严重性评分为 7.5(CVSS 评分)。这些漏洞并非直接存在于 Gin 框架本身,而是通过其依赖链中的 `golang.org/x/net` 库引入。扫描报告显示,漏洞在项目 `aigency-v1.0.0` 的特定提交中被发现,路径指向了 Go 模块缓存中的依赖文件。 此次曝光的漏洞详情列表已部分披露,其中包含一个编号为 CVE-2025-47913 的漏洞。报告明确指出,这些漏洞的根源在于 Gin 框架所依赖的上游组件。对于使用 `github.com/gin-gonic/gin v1.9.1` 的 Go 项目而言,...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
一个关键的安全更新正在通过 GitHub 的自动化依赖管理工具 Renovate 推送到全球数千个 Go 语言项目中。此次更新针对的是谷歌维护的核心网络通信库 `google.golang.org/grpc`,旨在修复一个被标记为 CVE-2026-33186 的高危漏洞。该漏洞被归类为“授权绕过”,其根源在于“不当的输入验证”,这意味着攻击者可能通过构造恶意输入,绕过服务端的身份验证或授权检查,从而访问未授权的数据或功能。 此次更新将 gRPC 库的版本从 `v1.63.2` 直接跳升至 `v1.79.3`,跨度巨大,表明其中包含了大量累积的修复和改进,而安全修复是此次强制升级的核心驱动力。自动化工具 Renovate 生成的合...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪头(pseudo-header)的输入验证不当。该漏洞允许攻击者通过构造特定的恶意请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,接受了不符合规范的 `:path` 头值。 此次安全更新通过自动化的依赖管理工具 Renovate 以拉取请求(PR)形式发布,将 `google.golang.org/grpc` 模块从存在漏洞的 v1.58.3 版本紧急升级至修复后的 v1.79.3 版本。更新跨度巨大,涉及多个...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪标头的输入验证不当。该漏洞允许攻击者通过构造特定的请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。此次安全更新将模块版本从 v1.61.0 紧急升级至 v1.79.3,以修复这一关键缺陷。 漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,错误地接受了某些格式的 `:path` 伪标头。这种设计缺陷使得攻击者能够利用路径验证的漏洞,实现授权绕过。所有使用受影响版本(v1.61.0 及之前版本)的 gRPC-Go 服务器都面临潜在风险,特别是那些依赖路径进行服务...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
A reachable vulnerability in the OpenBao Secrets Operator's main branch is leaking sensitive HTTP basic authentication credentials directly into log files. The flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs within the underlying `github.com/hashicorp/go-retryablehtt...
OpenBao 项目的 `release/2.4.x` 分支中,一个关键的安全漏洞已被自动化工具 `govulncheck` 标记为“可被利用”。漏洞编号 GO-2026-4394,根源在于项目依赖的 OpenTelemetry Go SDK 存在路径劫持风险,可能导致任意代码执行。该漏洞在 OpenTelemetry SDK 的 v1.40.0 版本中已得到修复,但 OpenBao 的当前分支仍在使用存在缺陷的旧版本。 该漏洞影响 OpenBao 代码库的多个核心位置,包括 PKI 证书管理、集群操作、代理与服务器启动命令以及诊断工具等关键功能模块。受影响的文件与函数包括 `builtin/logical/pki/acme_er...
OpenBao 项目的 `release/2.4.x` 分支中,一个被标记为“可被利用”的高危安全漏洞已被发现。漏洞追踪 ID 为 GO-2026-4394,其根源在于项目依赖的 OpenTelemetry Go SDK 存在缺陷,可能允许攻击者通过 PATH 环境变量劫持实现任意代码执行。该漏洞在 OpenTelemetry SDK 的 v1.40.0 版本中已被修复,但 OpenBao 的当前分支尚未应用此补丁。 漏洞扫描工具 `govulncheck` 在 OpenBao 仓库的多个关键位置识别出了易受攻击的代码路径。受影响的文件与函数范围广泛,涉及 PKI 证书管理、集群操作、代理与服务器启动以及诊断工具等多个核心模块。具...
A reachable cryptographic vulnerability has been confirmed in the main branch of the OpenBao plugins repository, exposing a critical flaw in a core security library. The automated security scan, govulncheck, identified that the source code contains a call path directly to vulnerability GO-2026-4550, which stems from an...
A critical security flaw in the core routing logic of gRPC-Go servers has been disclosed, enabling potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive, ...
A critical security flaw in the widely used `golang.org/x/oauth2` library exposes Go applications to potential denial-of-service attacks. The vulnerability, tracked as CVE-2025-22868, allows an attacker to pass a malicious, malformed token that triggers unexpected memory consumption during parsing. This could lead to r...
A critical security vulnerability in the OpenBao Secrets Operator's main branch can leak sensitive HTTP basic authentication credentials directly into log files. The flaw, identified as GO-2024-2947, is confirmed as 'reachable' by automated scanning tools, meaning the vulnerable code path is active and exploitable in t...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be excessively lenient, incorrectly accepti...
A critical, reachable vulnerability has been identified in the main branch of the OpenBao openbao-plugins repository, posing a direct risk of authorization bypass. The flaw, tracked as GO-2026-4762, resides within the gRPC-Go library and is exploitable due to a missing leading slash in the HTTP/2 :path header. Automate...
A critical security flaw in the popular Go library `go-git` has been patched, addressing a vulnerability that could allow an attacker to crash applications by supplying a maliciously crafted Git index file. The issue, tracked as CVE-2026-33762, resides in the index decoder for format version 4, which fails to properly ...