Go Vulnerability Report
The following vulnerabilities were identified in the master branch:
----------------------------------------------------------------
Module: httpio
----------------------------------------------------------------
=== Symbol Results ===
Vulnerability #1: GO-2026-4947
Unexpected work during chain building in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4947
Standard library
Found in: crypto/x509@go1.25.8
Fixed in: crypto/x509@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls x509.Certificate.Verify
Vulnerability #2: GO-2026-4946
Inefficient policy validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4946
Standard library
Found in: crypto/x509@go1.25.8
Fixed in: crypto/x509@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls x509.Certificate.Verify
Vulnerability #3: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection
retention and DoS in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4870
Standard library
Found in: crypto/tls@go1.25.8
Fixed in: crypto/tls@go1.25.9
Example traces found:
#1: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.Handshake
#2: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.HandshakeContext
#3: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.Read
#4: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls tls.Conn.Write
#5: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Dialer.DialContext
Vulnerability #4: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4865
Standard library
Found in: html/template@go1.25.8
Fixed in: html/template@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls template.Error.Error
#2: encode.go:7:2: httpio.init calls http.init, which eventually calls template.Template.Funcs
#3: encode.go:7:2: httpio.init calls http.init, which eventually calls template.Template.Parse
#4: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls template.context.String
Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
The following vulnerabilities were identified in the latest release:
----------------------------------------------------------------
Module: httpio
----------------------------------------------------------------
=== Symbol Results ===
Vulnerability #1: GO-2026-4947
Unexpected work during chain building in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4947
Standard library
Found in: crypto/x509@go1.25.8
Fixed in: crypto/x509@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls x509.Certificate.Verify
Vulnerability #2: GO-2026-4946
Inefficient policy validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2026-4946
Standard library
Found in: crypto/x509@go1.25.8
Fixed in: crypto/x509@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls x509.Certificate.Verify
Vulnerability #3: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection
retention and DoS in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4870
Standard library
Found in: crypto/tls@go1.25.8
Fixed in: crypto/tls@go1.25.9
Example traces found:
#1: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.Handshake
#2: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.HandshakeContext
#3: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Conn.Read
#4: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls tls.Conn.Write
#5: encode.go:7:2: httpio.init calls http.init, which eventually calls tls.Dialer.DialContext
Vulnerability #4: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4865
Standard library
Found in: html/template@go1.25.8
Fixed in: html/template@go1.25.9
Example traces found:
#1: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls template.Error.Error
#2: encode.go:7:2: httpio.init calls http.init, which eventually calls template.Template.Funcs
#3: encode.go:7:2: httpio.init calls http.init, which eventually calls template.Template.Parse
#4: errors.go:509:29: httpio.NewTooManyRequestsMessageWithErrorf calls fmt.Sprintf, which eventually calls template.context.String
Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Go Vulnerability Report
The following vulnerabilities were identified in the master branch:
The following vulnerabilities were identified in the latest release: