govulncheck finds called vulnerabilities

govulncheck ./...

=== Symbol Results ===

Vulnerability https://github.com/datarhei/core/pull/1: GO-2025-3595
Incorrect Neutralization of Input During Web Page Generation in x/net in
golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2025-3595
Module: golang.org/x/net
Found in: [golang.org/x/net@v0.25.0](mailto:golang.org/x/net@v0.25.0)
Fixed in: [golang.org/x/net@v0.38.0](mailto:golang.org/x/net@v0.38.0)

Vulnerability #2: GO-2025-3553
Excessive memory allocation during header parsing in
github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2025-3553
Module: github.com/golang-jwt/jwt
Found in: [github.com/golang-jwt/jwt@v3.2.2+incompatible](mailto:github.com/golang-jwt/jwt@v3.2.2+incompatible)
Fixed in: N/A
Example traces found:
https://github.com/datarhei/core/pull/1: http/middleware/session/HLS.go:20:2: session.init calls middleware.init, which calls jwt.init

Module: github.com/golang-jwt/jwt/v4
Found in: [github.com/golang-jwt/jwt/v4@v4.5.0](mailto:github.com/golang-jwt/jwt/v4@v4.5.0)
Fixed in: [github.com/golang-jwt/jwt/v4@v4.5.2](mailto:github.com/golang-jwt/jwt/v4@v4.5.2)
Example traces found:
https://github.com/datarhei/core/pull/1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.Parser.ParseUnverified

Module: github.com/golang-jwt/jwt/v5
Found in: [github.com/golang-jwt/jwt/v5@v5.2.1](mailto:github.com/golang-jwt/jwt/v5@v5.2.1)
Fixed in: [github.com/golang-jwt/jwt/v5@v5.2.2](mailto:github.com/golang-jwt/jwt/v5@v5.2.2)
Example traces found:
https://github.com/datarhei/core/pull/1: http/jwt/validator.go:114:36: jwt.auth0Validator.Validate calls jwt.Parser.ParseUnverified

Vulnerability https://github.com/datarhei/core/pull/3: GO-2024-3250
Improper error handling in ParseWithClaims and bad documentation may cause
dangerous situations in github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2024-3250
Module: github.com/golang-jwt/jwt/v4
Found in: [github.com/golang-jwt/jwt/v4@v4.5.0](mailto:github.com/golang-jwt/jwt/v4@v4.5.0)
Fixed in: [github.com/golang-jwt/jwt/v4@v4.5.1](mailto:github.com/golang-jwt/jwt/v4@v4.5.1)
Example traces found:
https://github.com/datarhei/core/pull/1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.ParseWithClaims

Vulnerability #4: GO-2024-2920
Denial of service vulnerability via the parseDirectives function in
github.com/vektah/gqlparser
More info: https://pkg.go.dev/vuln/GO-2024-2920
Module: github.com/vektah/gqlparser/v2
Found in: [github.com/vektah/gqlparser/v2@v2.5.12](mailto:github.com/vektah/gqlparser/v2@v2.5.12)
Fixed in: [github.com/vektah/gqlparser/v2@v2.5.14](mailto:github.com/vektah/gqlparser/v2@v2.5.14)
Example traces found:
https://github.com/datarhei/core/pull/1: http/handler/api/graph.go:46:26: api.GraphHandler.Query calls handler.Server.ServeHTTP, which eventually calls parser.ParseQuery
#2: http/graph/graph/graph.go:1832:44: graph.init calls gqlparser.MustLoadSchema, which eventually calls parser.ParseSchemas


-----

You can resolve the CVE's by  updating libraries

go get github.com/golang-jwt/jwt/v4

go get github.com/vektah/gqlparser/v2

go get golang.org/x/net

go get github.com/labstack/echo-jwt

go get github.com/golang-jwt/jwt/v5

go get github.com/labstack/echo/v4

-----

I've done the work within https://github.com/datarhei/core/pull/29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

govulncheck finds called vulnerabilities #30

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

govulncheck finds called vulnerabilities #30

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions