Skip to content

Commit fb6751e

Browse files
nicholashusinnicholashusin
committed
data/reports: add 5 reports
 - data/reports/GO-2025-4161.yaml - data/reports/GO-2025-4173.yaml - data/reports/GO-2025-4188.yaml - data/reports/GO-2025-4233.yaml - data/reports/GO-2025-4235.yaml Fixes #4161 Fixes #4173 Fixes #4188 Fixes #4233 Fixes #4235 Change-Id: I8e1de6fe5805738722462e1d204a95b9722313c2 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/730162 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Nicholas Husin <[email protected]> Reviewed-by: Ethan Lee <[email protected]> Reviewed-by: Nicholas Husin <[email protected]>
1 parent ab824f4 commit fb6751e

File tree

10 files changed

+644
-0
lines changed

10 files changed

+644
-0
lines changed

data/osv/GO-2025-4161.json

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-4161",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-65942",
8+
"GHSA-66jq-2c23-2xh5"
9+
],
10+
"summary": "VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM in github.com/VictoriaMetrics/VictoriaMetrics",
11+
"details": "VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM in github.com/VictoriaMetrics/VictoriaMetrics",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/VictoriaMetrics/VictoriaMetrics",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.110.23"
27+
},
28+
{
29+
"introduced": "1.111.0"
30+
},
31+
{
32+
"fixed": "1.122.8"
33+
},
34+
{
35+
"introduced": "1.123.0"
36+
},
37+
{
38+
"fixed": "1.129.1"
39+
}
40+
]
41+
}
42+
],
43+
"ecosystem_specific": {
44+
"imports": [
45+
{
46+
"path": "github.com/VictoriaMetrics/VictoriaMetrics/lib/protoparser/promremotewrite/stream",
47+
"symbols": [
48+
"Parse"
49+
]
50+
},
51+
{
52+
"path": "github.com/VictoriaMetrics/VictoriaMetrics/lib/protoparser/protoparserutil",
53+
"symbols": [
54+
"GetUncompressedReader",
55+
"ReadUncompressedData",
56+
"snappyReader.Reset"
57+
]
58+
}
59+
],
60+
"custom_ranges": [
61+
{
62+
"type": "ECOSYSTEM",
63+
"events": [
64+
{
65+
"introduced": "1.0.0"
66+
}
67+
]
68+
}
69+
]
70+
}
71+
}
72+
],
73+
"references": [
74+
{
75+
"type": "ADVISORY",
76+
"url": "https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5"
77+
},
78+
{
79+
"type": "FIX",
80+
"url": "https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8"
89+
},
90+
{
91+
"type": "WEB",
92+
"url": "https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1"
93+
}
94+
],
95+
"database_specific": {
96+
"url": "https://pkg.go.dev/vuln/GO-2025-4161",
97+
"review_status": "REVIEWED"
98+
}
99+
}

data/osv/GO-2025-4173.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-4173",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-10543",
8+
"GHSA-32fw-gq77-f2f2"
9+
],
10+
"summary": "Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang",
11+
"details": "Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/eclipse/paho.mqtt.golang",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.5.1"
27+
}
28+
]
29+
}
30+
],
31+
"ecosystem_specific": {}
32+
}
33+
],
34+
"references": [
35+
{
36+
"type": "ADVISORY",
37+
"url": "https://github.com/advisories/GHSA-32fw-gq77-f2f2"
38+
},
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/eclipse-paho/paho.mqtt.golang/issues/730"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/eclipse-paho/paho.mqtt.golang/pull/714"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254"
54+
}
55+
],
56+
"database_specific": {
57+
"url": "https://pkg.go.dev/vuln/GO-2025-4173",
58+
"review_status": "REVIEWED"
59+
}
60+
}

data/osv/GO-2025-4188.json

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-4188",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-65637",
8+
"GHSA-4f99-4q7p-p3gh"
9+
],
10+
"summary": "Logrus is vulnerable to DoS when using Entry.Writer() in github.com/sirupsen/logrus",
11+
"details": "Logrus is vulnerable to DoS when using Entry.Writer() in github.com/sirupsen/logrus",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/sirupsen/logrus",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.8.3"
27+
},
28+
{
29+
"introduced": "1.9.0"
30+
},
31+
{
32+
"fixed": "1.9.1"
33+
},
34+
{
35+
"introduced": "1.9.2"
36+
},
37+
{
38+
"fixed": "1.9.3"
39+
}
40+
]
41+
}
42+
],
43+
"ecosystem_specific": {}
44+
}
45+
],
46+
"references": [
47+
{
48+
"type": "ADVISORY",
49+
"url": "https://github.com/advisories/GHSA-4f99-4q7p-p3gh"
50+
},
51+
{
52+
"type": "FIX",
53+
"url": "https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7"
54+
},
55+
{
56+
"type": "FIX",
57+
"url": "https://github.com/sirupsen/logrus/pull/1376"
58+
},
59+
{
60+
"type": "REPORT",
61+
"url": "https://github.com/sirupsen/logrus/issues/1370"
62+
},
63+
{
64+
"type": "WEB",
65+
"url": "https://github.com/mjuanxd/logrus-dos-poc"
66+
},
67+
{
68+
"type": "WEB",
69+
"url": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md"
70+
},
71+
{
72+
"type": "WEB",
73+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3"
74+
},
75+
{
76+
"type": "WEB",
77+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1"
78+
},
79+
{
80+
"type": "WEB",
81+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3"
82+
},
83+
{
84+
"type": "WEB",
85+
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391"
86+
}
87+
],
88+
"database_specific": {
89+
"url": "https://pkg.go.dev/vuln/GO-2025-4188",
90+
"review_status": "REVIEWED"
91+
}
92+
}

data/osv/GO-2025-4233.json

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,120 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-4233",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-64702",
8+
"GHSA-g754-hx8w-x2g6"
9+
],
10+
"summary": "HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go",
11+
"details": "HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/quic-go/quic-go",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "0.57.0"
27+
}
28+
]
29+
}
30+
],
31+
"ecosystem_specific": {
32+
"imports": [
33+
{
34+
"path": "github.com/quic-go/quic-go/http3",
35+
"symbols": [
36+
"ClientConn.OpenRequestStream",
37+
"ClientConn.RoundTrip",
38+
"ConfigureTLSConfig",
39+
"Conn.OpenStream",
40+
"Conn.OpenStreamSync",
41+
"Conn.OpenUniStream",
42+
"Conn.OpenUniStreamSync",
43+
"Conn.decodeTrailers",
44+
"ErrCode.String",
45+
"Error.Error",
46+
"ListenAndServeQUIC",
47+
"ListenAndServeTLS",
48+
"ParseCapsule",
49+
"RequestStream.CancelRead",
50+
"RequestStream.CancelWrite",
51+
"RequestStream.Close",
52+
"RequestStream.Read",
53+
"RequestStream.ReadResponse",
54+
"RequestStream.SendRequestHeader",
55+
"RequestStream.Write",
56+
"Server.Close",
57+
"Server.ListenAndServe",
58+
"Server.ListenAndServeTLS",
59+
"Server.Serve",
60+
"Server.ServeListener",
61+
"Server.ServeQUICConn",
62+
"Server.Shutdown",
63+
"Server.handleRequest",
64+
"Server.maxHeaderBytes",
65+
"Stream.Read",
66+
"Stream.Write",
67+
"Transport.Close",
68+
"Transport.CloseIdleConnections",
69+
"Transport.NewClientConn",
70+
"Transport.RoundTrip",
71+
"Transport.RoundTripOpt",
72+
"body.Close",
73+
"body.Read",
74+
"cancelingReader.Read",
75+
"countingByteReader.Read",
76+
"countingByteReader.ReadByte",
77+
"errConnUnusable.Error",
78+
"exactReader.Read",
79+
"frameParser.ParseNext",
80+
"gzipReader.Close",
81+
"gzipReader.Read",
82+
"hijackableBody.Close",
83+
"hijackableBody.Read",
84+
"parseHeaders",
85+
"requestFromHeaders",
86+
"requestWriter.WriteRequestHeader",
87+
"responseWriter.Flush",
88+
"responseWriter.FlushError",
89+
"responseWriter.HTTPStream",
90+
"responseWriter.Write",
91+
"responseWriter.WriteHeader",
92+
"roundTripperWithCount.Close",
93+
"stateTrackingStream.CancelRead",
94+
"stateTrackingStream.CancelWrite",
95+
"stateTrackingStream.Close",
96+
"stateTrackingStream.Read",
97+
"stateTrackingStream.Write",
98+
"tracingReader.Read",
99+
"updateResponseFromHeaders"
100+
]
101+
}
102+
]
103+
}
104+
}
105+
],
106+
"references": [
107+
{
108+
"type": "ADVISORY",
109+
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6"
110+
},
111+
{
112+
"type": "FIX",
113+
"url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8"
114+
}
115+
],
116+
"database_specific": {
117+
"url": "https://pkg.go.dev/vuln/GO-2025-4233",
118+
"review_status": "REVIEWED"
119+
}
120+
}

0 commit comments

Comments
 (0)