@fabasoad/sarif-to-slack 0.2.5 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/.github/workflows/release.yml +1 -1
  2. package/.github/workflows/security.yml +0 -1
  3. package/.github/workflows/send-sarif-to-slack.yml +145 -73
  4. package/.gitleaksignore +8 -0
  5. package/.pre-commit-config.yaml +3 -3
  6. package/.tool-versions +1 -1
  7. package/dist/Logger.js +4 -1
  8. package/dist/SarifToSlackClient.d.ts +33 -0
  9. package/dist/SarifToSlackClient.d.ts.map +1 -0
  10. package/dist/SarifToSlackClient.js +178 -0
  11. package/dist/SlackMessageBuilder.js +34 -82
  12. package/dist/System.d.ts +1 -3
  13. package/dist/System.d.ts.map +1 -1
  14. package/dist/System.js +10 -3
  15. package/dist/index.cjs +826 -472
  16. package/dist/index.d.ts +35 -12
  17. package/dist/index.d.ts.map +1 -1
  18. package/dist/index.js +36 -12
  19. package/dist/model/Color.d.ts +80 -0
  20. package/dist/model/Color.d.ts.map +1 -0
  21. package/dist/model/Color.js +106 -0
  22. package/dist/model/Finding.d.ts +2 -0
  23. package/dist/model/Finding.d.ts.map +1 -0
  24. package/dist/model/Finding.js +93 -0
  25. package/dist/model/FindingsArray.d.ts +2 -0
  26. package/dist/model/FindingsArray.d.ts.map +1 -0
  27. package/dist/model/FindingsArray.js +24 -0
  28. package/dist/processors/CodeQLProcessor.d.ts +2 -0
  29. package/dist/processors/CodeQLProcessor.d.ts.map +1 -0
  30. package/dist/processors/CodeQLProcessor.js +17 -0
  31. package/dist/processors/CommonProcessor.d.ts +2 -0
  32. package/dist/processors/CommonProcessor.d.ts.map +1 -0
  33. package/dist/processors/CommonProcessor.js +84 -0
  34. package/dist/processors/ProcessorFactory.d.ts +2 -0
  35. package/dist/processors/ProcessorFactory.d.ts.map +1 -0
  36. package/dist/processors/ProcessorFactory.js +22 -0
  37. package/dist/processors/SnykProcessor.d.ts +2 -0
  38. package/dist/processors/SnykProcessor.d.ts.map +1 -0
  39. package/dist/processors/SnykProcessor.js +18 -0
  40. package/dist/representations/CompactGroupByRepresentation.d.ts +2 -0
  41. package/dist/representations/CompactGroupByRepresentation.d.ts.map +1 -0
  42. package/dist/representations/CompactGroupByRepresentation.js +58 -0
  43. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts +2 -0
  44. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts.map +1 -0
  45. package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +13 -0
  46. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts +2 -0
  47. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts.map +1 -0
  48. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +13 -0
  49. package/dist/representations/CompactGroupByRunRepresentation.d.ts +2 -0
  50. package/dist/representations/CompactGroupByRunRepresentation.d.ts.map +1 -0
  51. package/dist/representations/CompactGroupByRunRepresentation.js +39 -0
  52. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts +2 -0
  53. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts.map +1 -0
  54. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.js +13 -0
  55. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts +2 -0
  56. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts.map +1 -0
  57. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.js +13 -0
  58. package/dist/representations/CompactGroupBySarifRepresentation.d.ts +2 -0
  59. package/dist/representations/CompactGroupBySarifRepresentation.d.ts.map +1 -0
  60. package/dist/representations/CompactGroupBySarifRepresentation.js +40 -0
  61. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts +2 -0
  62. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts.map +1 -0
  63. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.js +13 -0
  64. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts +2 -0
  65. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts.map +1 -0
  66. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.js +13 -0
  67. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts +2 -0
  68. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts.map +1 -0
  69. package/dist/representations/CompactGroupByToolNameRepresentation.js +39 -0
  70. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts +2 -0
  71. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts.map +1 -0
  72. package/dist/representations/CompactTotalPerLevelRepresentation.js +13 -0
  73. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts +2 -0
  74. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts.map +1 -0
  75. package/dist/representations/CompactTotalPerSeverityRepresentation.js +13 -0
  76. package/dist/representations/CompactTotalRepresentation.d.ts +2 -0
  77. package/dist/representations/CompactTotalRepresentation.d.ts.map +1 -0
  78. package/dist/representations/CompactTotalRepresentation.js +25 -0
  79. package/dist/representations/Representation.d.ts +2 -0
  80. package/dist/representations/Representation.d.ts.map +1 -0
  81. package/dist/representations/Representation.js +28 -0
  82. package/dist/representations/RepresentationFactory.d.ts +2 -0
  83. package/dist/representations/RepresentationFactory.d.ts.map +1 -0
  84. package/dist/representations/RepresentationFactory.js +37 -0
  85. package/dist/sarif-to-slack.d.ts +347 -85
  86. package/dist/tsdoc-metadata.json +1 -1
  87. package/dist/types.d.ts +215 -51
  88. package/dist/types.d.ts.map +1 -1
  89. package/dist/types.js +225 -33
  90. package/dist/utils/Comparators.d.ts +2 -0
  91. package/dist/utils/Comparators.d.ts.map +1 -0
  92. package/dist/utils/Comparators.js +18 -0
  93. package/dist/utils/ExtendedArray.d.ts +2 -0
  94. package/dist/utils/ExtendedArray.d.ts.map +1 -0
  95. package/dist/utils/ExtendedArray.js +11 -0
  96. package/dist/utils/FileUtils.d.ts +2 -0
  97. package/dist/utils/FileUtils.d.ts.map +1 -0
  98. package/dist/utils/FileUtils.js +51 -0
  99. package/dist/utils/SarifUtils.js +20 -54
  100. package/etc/sarif-to-slack.api.md +162 -99
  101. package/jest.config.json +2 -2
  102. package/package.json +7 -7
  103. package/scripts/save-metadata.sh +12 -10
  104. package/src/Logger.ts +4 -0
  105. package/src/SarifToSlackClient.ts +202 -0
  106. package/src/SlackMessageBuilder.ts +35 -115
  107. package/src/System.ts +9 -2
  108. package/src/index.ts +47 -20
  109. package/src/model/Color.ts +195 -0
  110. package/src/model/Finding.ts +137 -0
  111. package/src/model/FindingsArray.ts +27 -0
  112. package/src/processors/CodeQLProcessor.ts +19 -0
  113. package/src/processors/CommonProcessor.ts +103 -0
  114. package/src/processors/ProcessorFactory.ts +23 -0
  115. package/src/processors/SnykProcessor.ts +19 -0
  116. package/src/representations/CompactGroupByRepresentation.ts +67 -0
  117. package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +14 -0
  118. package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +14 -0
  119. package/src/representations/CompactGroupByRunRepresentation.ts +44 -0
  120. package/src/representations/CompactGroupBySarifPerLevelRepresentation.ts +15 -0
  121. package/src/representations/CompactGroupBySarifPerSeverityRepresentation.ts +15 -0
  122. package/src/representations/CompactGroupBySarifRepresentation.ts +45 -0
  123. package/src/representations/CompactGroupByToolNamePerLevelRepresentation.ts +15 -0
  124. package/src/representations/CompactGroupByToolNamePerSeverityRepresentation.ts +15 -0
  125. package/src/representations/CompactGroupByToolNameRepresentation.ts +44 -0
  126. package/src/representations/CompactTotalPerLevelRepresentation.ts +14 -0
  127. package/src/representations/CompactTotalPerSeverityRepresentation.ts +14 -0
  128. package/src/representations/CompactTotalRepresentation.ts +27 -0
  129. package/src/representations/Representation.ts +35 -0
  130. package/src/representations/RepresentationFactory.ts +49 -0
  131. package/src/types.ts +270 -53
  132. package/src/utils/Comparators.ts +19 -0
  133. package/src/utils/ExtendedArray.ts +11 -0
  134. package/src/utils/FileUtils.ts +60 -0
  135. package/src/utils/SarifUtils.ts +20 -72
  136. package/test-data/sarif/codeql-python.sarif +1448 -1
  137. package/test-data/sarif/codeql-typescript.sarif +3474 -1
  138. package/test-data/sarif/grype-github-actions.sarif +65 -0
  139. package/test-data/sarif/osv-scanner-composer.sarif +972 -0
  140. package/test-data/sarif/osv-scanner-container.sarif +2278 -0
  141. package/test-data/sarif/osv-scanner-gomodules.sarif +813 -0
  142. package/test-data/sarif/osv-scanner-hex.sarif +147 -0
  143. package/test-data/sarif/osv-scanner-maven.sarif +171 -0
  144. package/test-data/sarif/osv-scanner-npm.sarif +627 -0
  145. package/test-data/sarif/osv-scanner-pip.sarif +206 -0
  146. package/test-data/sarif/osv-scanner-pipenv.sarif +243 -0
  147. package/test-data/sarif/osv-scanner-pnpm.sarif +174 -0
  148. package/test-data/sarif/osv-scanner-poetry.sarif +1893 -0
  149. package/test-data/sarif/osv-scanner-rubygems.sarif +402 -0
  150. package/test-data/sarif/osv-scanner-uv.sarif +206 -0
  151. package/test-data/sarif/osv-scanner-yarn.sarif +5207 -0
  152. package/test-data/sarif/runs-0.sarif +5 -0
  153. package/test-data/sarif/runs-2-tools-2-results-0.sarif +1 -1
  154. package/test-data/sarif/runs-2-tools-2.sarif +1 -1
  155. package/test-data/sarif/runs-3-tools-2-results-0.sarif +1 -1
  156. package/test-data/sarif/runs-3-tools-2.sarif +1 -1
  157. package/test-data/sarif/tmp/codeql-csharp.sarif +1 -0
  158. package/test-data/sarif/tmp/grype-container.sarif +1774 -0
  159. package/test-data/sarif/tmp/runs-1-tools-1-results-0.sarif +18 -0
  160. package/test-data/sarif/tmp/runs-2-tools-2.sarif +686 -0
  161. package/test-data/sarif/trivy-iac.sarif +1 -1
  162. package/tests/integration/SendSarifToSlack.spec.ts +95 -27
  163. package/tsconfig.json +2 -0
  164. package/dist/Processors.d.ts +0 -2
  165. package/dist/Processors.d.ts.map +0 -1
  166. package/dist/Processors.js +0 -61
  167. package/dist/SarifToSlackService.d.ts +0 -39
  168. package/dist/SarifToSlackService.d.ts.map +0 -1
  169. package/dist/SarifToSlackService.js +0 -104
  170. package/dist/metadata.d.ts +0 -2
  171. package/dist/metadata.d.ts.map +0 -1
  172. package/dist/metadata.js +0 -11
  173. package/dist/model/SarifModelPerRun.d.ts +0 -2
  174. package/dist/model/SarifModelPerRun.d.ts.map +0 -1
  175. package/dist/model/SarifModelPerRun.js +0 -90
  176. package/dist/model/SarifModelPerSarif.d.ts +0 -2
  177. package/dist/model/SarifModelPerSarif.d.ts.map +0 -1
  178. package/dist/model/SarifModelPerSarif.js +0 -102
  179. package/dist/model/types.d.ts +0 -2
  180. package/dist/model/types.d.ts.map +0 -1
  181. package/dist/model/types.js +0 -49
  182. package/dist/utils/SortUtils.d.ts +0 -2
  183. package/dist/utils/SortUtils.d.ts.map +0 -1
  184. package/dist/utils/SortUtils.js +0 -20
  185. package/src/Processors.ts +0 -68
  186. package/src/SarifToSlackService.ts +0 -117
  187. package/src/metadata.ts +0 -10
  188. package/src/model/SarifModelPerRun.ts +0 -120
  189. package/src/model/SarifModelPerSarif.ts +0 -126
  190. package/src/model/types.ts +0 -50
  191. package/src/utils/SortUtils.ts +0 -33
  192. package/tests/Processors.spec.ts +0 -76
package/test-data/sarif/osv-scanner-container.sarif ADDED
@@ -0,0 +1,2278 @@
1
+ {
2
+ "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
3
+ "version": "2.1.0",
4
+ "runs": [
5
+ {
6
+ "addresses": [],
7
+ "artifacts": [
8
+ {
9
+ "length": -1,
10
+ "location": {
11
+ "index": -1,
12
+ "uri": "file:///usr/bin/tflint"
13
+ },
14
+ "parentIndex": -1,
15
+ "roles": []
16
+ },
17
+ {
18
+ "length": -1,
19
+ "location": {
20
+ "index": -1,
21
+ "uri": "file:///usr/local/bin/terraform"
22
+ },
23
+ "parentIndex": -1,
24
+ "roles": []
25
+ },
26
+ {
27
+ "length": -1,
28
+ "location": {
29
+ "index": -1,
30
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
31
+ },
32
+ "parentIndex": -1,
33
+ "roles": []
34
+ },
35
+ {
36
+ "length": -1,
37
+ "location": {
38
+ "index": -1,
39
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
40
+ },
41
+ "parentIndex": -1,
42
+ "roles": []
43
+ },
44
+ {
45
+ "length": -1,
46
+ "location": {
47
+ "index": -1,
48
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar"
49
+ },
50
+ "parentIndex": -1,
51
+ "roles": []
52
+ },
53
+ {
54
+ "length": -1,
55
+ "location": {
56
+ "index": -1,
57
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar"
58
+ },
59
+ "parentIndex": -1,
60
+ "roles": []
61
+ },
62
+ {
63
+ "length": -1,
64
+ "location": {
65
+ "index": -1,
66
+ "uri": "file:///usr/local/bin/actionlint"
67
+ },
68
+ "parentIndex": -1,
69
+ "roles": []
70
+ }
71
+ ],
72
+ "graphs": [],
73
+ "invocations": [],
74
+ "language": "en-US",
75
+ "logicalLocations": [],
76
+ "newlineSequences": [
77
+ "\r\n",
78
+ "\n"
79
+ ],
80
+ "policies": [],
81
+ "redactionTokens": [],
82
+ "results": [
83
+ {
84
+ "attachments": [],
85
+ "codeFlows": [],
86
+ "fixes": [],
87
+ "graphTraversals": [],
88
+ "graphs": [],
89
+ "kind": "fail",
90
+ "level": "warning",
91
+ "locations": [
92
+ {
93
+ "annotations": [],
94
+ "id": -1,
95
+ "logicalLocations": [],
96
+ "physicalLocation": {
97
+ "artifactLocation": {
98
+ "index": -1,
99
+ "uri": "file:///usr/bin/tflint"
100
+ }
101
+ },
102
+ "relationships": []
103
+ }
104
+ ],
105
+ "message": {
106
+ "arguments": [],
107
+ "text": "Package 'github.com/cloudflare/circl@1.3.7' is vulnerable to 'CVE-2025-8556' (also known as 'GO-2025-3754', 'GHSA-2x5j-vhc8-9cwm')."
108
+ },
109
+ "rank": -1,
110
+ "relatedLocations": [],
111
+ "ruleId": "CVE-2025-8556",
112
+ "ruleIndex": 0,
113
+ "stacks": [],
114
+ "taxa": []
115
+ },
116
+ {
117
+ "attachments": [],
118
+ "codeFlows": [],
119
+ "fixes": [],
120
+ "graphTraversals": [],
121
+ "graphs": [],
122
+ "kind": "fail",
123
+ "level": "warning",
124
+ "locations": [
125
+ {
126
+ "annotations": [],
127
+ "id": -1,
128
+ "logicalLocations": [],
129
+ "physicalLocation": {
130
+ "artifactLocation": {
131
+ "index": -1,
132
+ "uri": "file:///usr/local/bin/terraform"
133
+ }
134
+ },
135
+ "relationships": []
136
+ }
137
+ ],
138
+ "message": {
139
+ "arguments": [],
140
+ "text": "Package 'github.com/cloudflare/circl@1.4.0' is vulnerable to 'CVE-2025-8556' (also known as 'GO-2025-3754', 'GHSA-2x5j-vhc8-9cwm')."
141
+ },
142
+ "rank": -1,
143
+ "relatedLocations": [],
144
+ "ruleId": "CVE-2025-8556",
145
+ "ruleIndex": 0,
146
+ "stacks": [],
147
+ "taxa": []
148
+ },
149
+ {
150
+ "attachments": [],
151
+ "codeFlows": [],
152
+ "fixes": [],
153
+ "graphTraversals": [],
154
+ "graphs": [],
155
+ "kind": "fail",
156
+ "level": "warning",
157
+ "locations": [
158
+ {
159
+ "annotations": [],
160
+ "id": -1,
161
+ "logicalLocations": [],
162
+ "physicalLocation": {
163
+ "artifactLocation": {
164
+ "index": -1,
165
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
166
+ }
167
+ },
168
+ "relationships": []
169
+ }
170
+ ],
171
+ "message": {
172
+ "arguments": [],
173
+ "text": "Package 'com.google.guava:guava@30.1-jre' is vulnerable to 'CVE-2020-8908' (also known as 'CGA-7rjh-334q-pq8g', 'GHSA-5mg8-w23w-74h3')."
174
+ },
175
+ "rank": -1,
176
+ "relatedLocations": [],
177
+ "ruleId": "CVE-2020-8908",
178
+ "ruleIndex": 1,
179
+ "stacks": [],
180
+ "taxa": []
181
+ },
182
+ {
183
+ "attachments": [],
184
+ "codeFlows": [],
185
+ "fixes": [],
186
+ "graphTraversals": [],
187
+ "graphs": [],
188
+ "kind": "fail",
189
+ "level": "warning",
190
+ "locations": [
191
+ {
192
+ "annotations": [],
193
+ "id": -1,
194
+ "logicalLocations": [],
195
+ "physicalLocation": {
196
+ "artifactLocation": {
197
+ "index": -1,
198
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
199
+ }
200
+ },
201
+ "relationships": []
202
+ }
203
+ ],
204
+ "message": {
205
+ "arguments": [],
206
+ "text": "Package 'com.google.guava:guava@30.1-jre' is vulnerable to 'CVE-2020-8908' (also known as 'CGA-7rjh-334q-pq8g', 'GHSA-5mg8-w23w-74h3')."
207
+ },
208
+ "rank": -1,
209
+ "relatedLocations": [],
210
+ "ruleId": "CVE-2020-8908",
211
+ "ruleIndex": 1,
212
+ "stacks": [],
213
+ "taxa": []
214
+ },
215
+ {
216
+ "attachments": [],
217
+ "codeFlows": [],
218
+ "fixes": [],
219
+ "graphTraversals": [],
220
+ "graphs": [],
221
+ "kind": "fail",
222
+ "level": "warning",
223
+ "locations": [
224
+ {
225
+ "annotations": [],
226
+ "id": -1,
227
+ "logicalLocations": [],
228
+ "physicalLocation": {
229
+ "artifactLocation": {
230
+ "index": -1,
231
+ "uri": "file:///usr/bin/tflint"
232
+ }
233
+ },
234
+ "relationships": []
235
+ }
236
+ ],
237
+ "message": {
238
+ "arguments": [],
239
+ "text": "Package 'golang.org/x/oauth2@0.20.0' is vulnerable to 'CVE-2025-22868' (also known as 'GO-2025-3488', 'GHSA-6v2p-p543-phr9')."
240
+ },
241
+ "rank": -1,
242
+ "relatedLocations": [],
243
+ "ruleId": "CVE-2025-22868",
244
+ "ruleIndex": 2,
245
+ "stacks": [],
246
+ "taxa": []
247
+ },
248
+ {
249
+ "attachments": [],
250
+ "codeFlows": [],
251
+ "fixes": [],
252
+ "graphTraversals": [],
253
+ "graphs": [],
254
+ "kind": "fail",
255
+ "level": "warning",
256
+ "locations": [
257
+ {
258
+ "annotations": [],
259
+ "id": -1,
260
+ "logicalLocations": [],
261
+ "physicalLocation": {
262
+ "artifactLocation": {
263
+ "index": -1,
264
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar"
265
+ }
266
+ },
267
+ "relationships": []
268
+ }
269
+ ],
270
+ "message": {
271
+ "arguments": [],
272
+ "text": "Package 'com.google.protobuf:protobuf-java@3.19.6' is vulnerable to 'CVE-2024-7254' (also known as 'GHSA-735f-pc8j-v9w8')."
273
+ },
274
+ "rank": -1,
275
+ "relatedLocations": [],
276
+ "ruleId": "CVE-2024-7254",
277
+ "ruleIndex": 3,
278
+ "stacks": [],
279
+ "taxa": []
280
+ },
281
+ {
282
+ "attachments": [],
283
+ "codeFlows": [],
284
+ "fixes": [],
285
+ "graphTraversals": [],
286
+ "graphs": [],
287
+ "kind": "fail",
288
+ "level": "warning",
289
+ "locations": [
290
+ {
291
+ "annotations": [],
292
+ "id": -1,
293
+ "logicalLocations": [],
294
+ "physicalLocation": {
295
+ "artifactLocation": {
296
+ "index": -1,
297
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar"
298
+ }
299
+ },
300
+ "relationships": []
301
+ }
302
+ ],
303
+ "message": {
304
+ "arguments": [],
305
+ "text": "Package 'com.google.guava:guava@30.1-jre' is vulnerable to 'CVE-2023-2976' (also known as 'CGA-g8pm-vcpp-9jxq', 'GHSA-7g45-4rm6-3mm3')."
306
+ },
307
+ "rank": -1,
308
+ "relatedLocations": [],
309
+ "ruleId": "CVE-2023-2976",
310
+ "ruleIndex": 4,
311
+ "stacks": [],
312
+ "taxa": []
313
+ },
314
+ {
315
+ "attachments": [],
316
+ "codeFlows": [],
317
+ "fixes": [],
318
+ "graphTraversals": [],
319
+ "graphs": [],
320
+ "kind": "fail",
321
+ "level": "warning",
322
+ "locations": [
323
+ {
324
+ "annotations": [],
325
+ "id": -1,
326
+ "logicalLocations": [],
327
+ "physicalLocation": {
328
+ "artifactLocation": {
329
+ "index": -1,
330
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar"
331
+ }
332
+ },
333
+ "relationships": []
334
+ }
335
+ ],
336
+ "message": {
337
+ "arguments": [],
338
+ "text": "Package 'com.google.guava:guava@30.1-jre' is vulnerable to 'CVE-2023-2976' (also known as 'CGA-g8pm-vcpp-9jxq', 'GHSA-7g45-4rm6-3mm3')."
339
+ },
340
+ "rank": -1,
341
+ "relatedLocations": [],
342
+ "ruleId": "CVE-2023-2976",
343
+ "ruleIndex": 4,
344
+ "stacks": [],
345
+ "taxa": []
346
+ },
347
+ {
348
+ "attachments": [],
349
+ "codeFlows": [],
350
+ "fixes": [],
351
+ "graphTraversals": [],
352
+ "graphs": [],
353
+ "kind": "fail",
354
+ "level": "warning",
355
+ "locations": [
356
+ {
357
+ "annotations": [],
358
+ "id": -1,
359
+ "logicalLocations": [],
360
+ "physicalLocation": {
361
+ "artifactLocation": {
362
+ "index": -1,
363
+ "uri": "file:///usr/bin/tflint"
364
+ }
365
+ },
366
+ "relationships": []
367
+ }
368
+ ],
369
+ "message": {
370
+ "arguments": [],
371
+ "text": "Package 'golang.org/x/crypto@0.23.0' is vulnerable to 'CVE-2025-22869' (also known as 'GO-2025-3487', 'GHSA-hcg3-q754-cr77')."
372
+ },
373
+ "rank": -1,
374
+ "relatedLocations": [],
375
+ "ruleId": "CVE-2025-22869",
376
+ "ruleIndex": 5,
377
+ "stacks": [],
378
+ "taxa": []
379
+ },
380
+ {
381
+ "attachments": [],
382
+ "codeFlows": [],
383
+ "fixes": [],
384
+ "graphTraversals": [],
385
+ "graphs": [],
386
+ "kind": "fail",
387
+ "level": "warning",
388
+ "locations": [
389
+ {
390
+ "annotations": [],
391
+ "id": -1,
392
+ "logicalLocations": [],
393
+ "physicalLocation": {
394
+ "artifactLocation": {
395
+ "index": -1,
396
+ "uri": "file:///root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar"
397
+ }
398
+ },
399
+ "relationships": []
400
+ }
401
+ ],
402
+ "message": {
403
+ "arguments": [],
404
+ "text": "Package 'org.apache.commons:commons-lang3@3.14.0' is vulnerable to 'CVE-2025-48924' (also known as 'GHSA-j288-q9x7-2f5v')."
405
+ },
406
+ "rank": -1,
407
+ "relatedLocations": [],
408
+ "ruleId": "CVE-2025-48924",
409
+ "ruleIndex": 6,
410
+ "stacks": [],
411
+ "taxa": []
412
+ },
413
+ {
414
+ "attachments": [],
415
+ "codeFlows": [],
416
+ "fixes": [],
417
+ "graphTraversals": [],
418
+ "graphs": [],
419
+ "kind": "fail",
420
+ "level": "warning",
421
+ "locations": [
422
+ {
423
+ "annotations": [],
424
+ "id": -1,
425
+ "logicalLocations": [],
426
+ "physicalLocation": {
427
+ "artifactLocation": {
428
+ "index": -1,
429
+ "uri": "file:///usr/bin/tflint"
430
+ }
431
+ },
432
+ "relationships": []
433
+ }
434
+ ],
435
+ "message": {
436
+ "arguments": [],
437
+ "text": "Package 'golang.org/x/net@0.25.0' is vulnerable to 'CVE-2025-22870' (also known as 'GO-2025-3503', 'GHSA-qxp5-gwg8-xv66')."
438
+ },
439
+ "rank": -1,
440
+ "relatedLocations": [],
441
+ "ruleId": "CVE-2025-22870",
442
+ "ruleIndex": 7,
443
+ "stacks": [],
444
+ "taxa": []
445
+ },
446
+ {
447
+ "attachments": [],
448
+ "codeFlows": [],
449
+ "fixes": [],
450
+ "graphTraversals": [],
451
+ "graphs": [],
452
+ "kind": "fail",
453
+ "level": "warning",
454
+ "locations": [
455
+ {
456
+ "annotations": [],
457
+ "id": -1,
458
+ "logicalLocations": [],
459
+ "physicalLocation": {
460
+ "artifactLocation": {
461
+ "index": -1,
462
+ "uri": "file:///usr/bin/tflint"
463
+ }
464
+ },
465
+ "relationships": []
466
+ }
467
+ ],
468
+ "message": {
469
+ "arguments": [],
470
+ "text": "Package 'golang.org/x/crypto@0.23.0' is vulnerable to 'CVE-2024-45337' (also known as 'GO-2024-3321', 'GHSA-v778-237x-gjrc')."
471
+ },
472
+ "rank": -1,
473
+ "relatedLocations": [],
474
+ "ruleId": "CVE-2024-45337",
475
+ "ruleIndex": 8,
476
+ "stacks": [],
477
+ "taxa": []
478
+ },
479
+ {
480
+ "attachments": [],
481
+ "codeFlows": [],
482
+ "fixes": [],
483
+ "graphTraversals": [],
484
+ "graphs": [],
485
+ "kind": "fail",
486
+ "level": "warning",
487
+ "locations": [
488
+ {
489
+ "annotations": [],
490
+ "id": -1,
491
+ "logicalLocations": [],
492
+ "physicalLocation": {
493
+ "artifactLocation": {
494
+ "index": -1,
495
+ "uri": "file:///usr/bin/tflint"
496
+ }
497
+ },
498
+ "relationships": []
499
+ }
500
+ ],
501
+ "message": {
502
+ "arguments": [],
503
+ "text": "Package 'golang.org/x/net@0.25.0' is vulnerable to 'CVE-2025-22872' (also known as 'GO-2025-3595', 'GHSA-vvgc-356p-c3xw')."
504
+ },
505
+ "rank": -1,
506
+ "relatedLocations": [],
507
+ "ruleId": "CVE-2025-22872",
508
+ "ruleIndex": 9,
509
+ "stacks": [],
510
+ "taxa": []
511
+ },
512
+ {
513
+ "attachments": [],
514
+ "codeFlows": [],
515
+ "fixes": [],
516
+ "graphTraversals": [],
517
+ "graphs": [],
518
+ "kind": "fail",
519
+ "level": "warning",
520
+ "locations": [
521
+ {
522
+ "annotations": [],
523
+ "id": -1,
524
+ "logicalLocations": [],
525
+ "physicalLocation": {
526
+ "artifactLocation": {
527
+ "index": -1,
528
+ "uri": "file:///usr/bin/tflint"
529
+ }
530
+ },
531
+ "relationships": []
532
+ }
533
+ ],
534
+ "message": {
535
+ "arguments": [],
536
+ "text": "Package 'github.com/hashicorp/go-getter@1.7.4' is vulnerable to 'CVE-2024-6257' (also known as 'GO-2024-2948', 'GHSA-xfhp-jf8p-mh5w')."
537
+ },
538
+ "rank": -1,
539
+ "relatedLocations": [],
540
+ "ruleId": "CVE-2024-6257",
541
+ "ruleIndex": 10,
542
+ "stacks": [],
543
+ "taxa": []
544
+ },
545
+ {
546
+ "attachments": [],
547
+ "codeFlows": [],
548
+ "fixes": [],
549
+ "graphTraversals": [],
550
+ "graphs": [],
551
+ "kind": "fail",
552
+ "level": "warning",
553
+ "locations": [
554
+ {
555
+ "annotations": [],
556
+ "id": -1,
557
+ "logicalLocations": [],
558
+ "physicalLocation": {
559
+ "artifactLocation": {
560
+ "index": -1,
561
+ "uri": "file:///usr/bin/tflint"
562
+ }
563
+ },
564
+ "relationships": []
565
+ }
566
+ ],
567
+ "message": {
568
+ "arguments": [],
569
+ "text": "Package 'github.com/aws/aws-sdk-go@1.44.122' is vulnerable to 'CVE-2020-8912' (also known as 'GO-2022-0635', 'GHSA-7f33-f4f5-xwgw')."
570
+ },
571
+ "rank": -1,
572
+ "relatedLocations": [],
573
+ "ruleId": "CVE-2020-8912",
574
+ "ruleIndex": 11,
575
+ "stacks": [],
576
+ "taxa": []
577
+ },
578
+ {
579
+ "attachments": [],
580
+ "codeFlows": [],
581
+ "fixes": [],
582
+ "graphTraversals": [],
583
+ "graphs": [],
584
+ "kind": "fail",
585
+ "level": "warning",
586
+ "locations": [
587
+ {
588
+ "annotations": [],
589
+ "id": -1,
590
+ "logicalLocations": [],
591
+ "physicalLocation": {
592
+ "artifactLocation": {
593
+ "index": -1,
594
+ "uri": "file:///usr/local/bin/terraform"
595
+ }
596
+ },
597
+ "relationships": []
598
+ }
599
+ ],
600
+ "message": {
601
+ "arguments": [],
602
+ "text": "Package 'github.com/aws/aws-sdk-go@1.44.122' is vulnerable to 'CVE-2020-8912' (also known as 'GO-2022-0635', 'GHSA-7f33-f4f5-xwgw')."
603
+ },
604
+ "rank": -1,
605
+ "relatedLocations": [],
606
+ "ruleId": "CVE-2020-8912",
607
+ "ruleIndex": 11,
608
+ "stacks": [],
609
+ "taxa": []
610
+ },
611
+ {
612
+ "attachments": [],
613
+ "codeFlows": [],
614
+ "fixes": [],
615
+ "graphTraversals": [],
616
+ "graphs": [],
617
+ "kind": "fail",
618
+ "level": "warning",
619
+ "locations": [
620
+ {
621
+ "annotations": [],
622
+ "id": -1,
623
+ "logicalLocations": [],
624
+ "physicalLocation": {
625
+ "artifactLocation": {
626
+ "index": -1,
627
+ "uri": "file:///usr/bin/tflint"
628
+ }
629
+ },
630
+ "relationships": []
631
+ }
632
+ ],
633
+ "message": {
634
+ "arguments": [],
635
+ "text": "Package 'github.com/aws/aws-sdk-go@1.44.122' is vulnerable to 'CVE-2020-8911' (also known as 'GO-2022-0646', 'GHSA-f5pg-7wfw-84q9')."
636
+ },
637
+ "rank": -1,
638
+ "relatedLocations": [],
639
+ "ruleId": "CVE-2020-8911",
640
+ "ruleIndex": 12,
641
+ "stacks": [],
642
+ "taxa": []
643
+ },
644
+ {
645
+ "attachments": [],
646
+ "codeFlows": [],
647
+ "fixes": [],
648
+ "graphTraversals": [],
649
+ "graphs": [],
650
+ "kind": "fail",
651
+ "level": "warning",
652
+ "locations": [
653
+ {
654
+ "annotations": [],
655
+ "id": -1,
656
+ "logicalLocations": [],
657
+ "physicalLocation": {
658
+ "artifactLocation": {
659
+ "index": -1,
660
+ "uri": "file:///usr/local/bin/terraform"
661
+ }
662
+ },
663
+ "relationships": []
664
+ }
665
+ ],
666
+ "message": {
667
+ "arguments": [],
668
+ "text": "Package 'github.com/aws/aws-sdk-go@1.44.122' is vulnerable to 'CVE-2020-8911' (also known as 'GO-2022-0646', 'GHSA-f5pg-7wfw-84q9')."
669
+ },
670
+ "rank": -1,
671
+ "relatedLocations": [],
672
+ "ruleId": "CVE-2020-8911",
673
+ "ruleIndex": 12,
674
+ "stacks": [],
675
+ "taxa": []
676
+ },
677
+ {
678
+ "attachments": [],
679
+ "codeFlows": [],
680
+ "fixes": [],
681
+ "graphTraversals": [],
682
+ "graphs": [],
683
+ "kind": "fail",
684
+ "level": "warning",
685
+ "locations": [
686
+ {
687
+ "annotations": [],
688
+ "id": -1,
689
+ "logicalLocations": [],
690
+ "physicalLocation": {
691
+ "artifactLocation": {
692
+ "index": -1,
693
+ "uri": "file:///usr/bin/tflint"
694
+ }
695
+ },
696
+ "relationships": []
697
+ }
698
+ ],
699
+ "message": {
700
+ "arguments": [],
701
+ "text": "Package 'github.com/hashicorp/go-getter@1.7.4' is vulnerable to 'CVE-2024-6257' (also known as 'GO-2024-2948', 'GHSA-xfhp-jf8p-mh5w')."
702
+ },
703
+ "rank": -1,
704
+ "relatedLocations": [],
705
+ "ruleId": "CVE-2024-6257",
706
+ "ruleIndex": 10,
707
+ "stacks": [],
708
+ "taxa": []
709
+ },
710
+ {
711
+ "attachments": [],
712
+ "codeFlows": [],
713
+ "fixes": [],
714
+ "graphTraversals": [],
715
+ "graphs": [],
716
+ "kind": "fail",
717
+ "level": "warning",
718
+ "locations": [
719
+ {
720
+ "annotations": [],
721
+ "id": -1,
722
+ "logicalLocations": [],
723
+ "physicalLocation": {
724
+ "artifactLocation": {
725
+ "index": -1,
726
+ "uri": "file:///usr/bin/tflint"
727
+ }
728
+ },
729
+ "relationships": []
730
+ }
731
+ ],
732
+ "message": {
733
+ "arguments": [],
734
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2024-34155' (also known as 'BIT-golang-2024-34155', 'GO-2024-3105')."
735
+ },
736
+ "rank": -1,
737
+ "relatedLocations": [],
738
+ "ruleId": "CVE-2024-34155",
739
+ "ruleIndex": 13,
740
+ "stacks": [],
741
+ "taxa": []
742
+ },
743
+ {
744
+ "attachments": [],
745
+ "codeFlows": [],
746
+ "fixes": [],
747
+ "graphTraversals": [],
748
+ "graphs": [],
749
+ "kind": "fail",
750
+ "level": "warning",
751
+ "locations": [
752
+ {
753
+ "annotations": [],
754
+ "id": -1,
755
+ "logicalLocations": [],
756
+ "physicalLocation": {
757
+ "artifactLocation": {
758
+ "index": -1,
759
+ "uri": "file:///usr/bin/tflint"
760
+ }
761
+ },
762
+ "relationships": []
763
+ }
764
+ ],
765
+ "message": {
766
+ "arguments": [],
767
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2024-34156' (also known as 'BIT-golang-2024-34156', 'GO-2024-3106')."
768
+ },
769
+ "rank": -1,
770
+ "relatedLocations": [],
771
+ "ruleId": "CVE-2024-34156",
772
+ "ruleIndex": 14,
773
+ "stacks": [],
774
+ "taxa": []
775
+ },
776
+ {
777
+ "attachments": [],
778
+ "codeFlows": [],
779
+ "fixes": [],
780
+ "graphTraversals": [],
781
+ "graphs": [],
782
+ "kind": "fail",
783
+ "level": "warning",
784
+ "locations": [
785
+ {
786
+ "annotations": [],
787
+ "id": -1,
788
+ "logicalLocations": [],
789
+ "physicalLocation": {
790
+ "artifactLocation": {
791
+ "index": -1,
792
+ "uri": "file:///usr/bin/tflint"
793
+ }
794
+ },
795
+ "relationships": []
796
+ }
797
+ ],
798
+ "message": {
799
+ "arguments": [],
800
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2024-34158' (also known as 'BIT-golang-2024-34158', 'GO-2024-3107')."
801
+ },
802
+ "rank": -1,
803
+ "relatedLocations": [],
804
+ "ruleId": "CVE-2024-34158",
805
+ "ruleIndex": 15,
806
+ "stacks": [],
807
+ "taxa": []
808
+ },
809
+ {
810
+ "attachments": [],
811
+ "codeFlows": [],
812
+ "fixes": [],
813
+ "graphTraversals": [],
814
+ "graphs": [],
815
+ "kind": "fail",
816
+ "level": "warning",
817
+ "locations": [
818
+ {
819
+ "annotations": [],
820
+ "id": -1,
821
+ "logicalLocations": [],
822
+ "physicalLocation": {
823
+ "artifactLocation": {
824
+ "index": -1,
825
+ "uri": "file:///usr/bin/tflint"
826
+ }
827
+ },
828
+ "relationships": []
829
+ }
830
+ ],
831
+ "message": {
832
+ "arguments": [],
833
+ "text": "Package 'golang.org/x/crypto@0.23.0' is vulnerable to 'CVE-2024-45337' (also known as 'GO-2024-3321', 'GHSA-v778-237x-gjrc')."
834
+ },
835
+ "rank": -1,
836
+ "relatedLocations": [],
837
+ "ruleId": "CVE-2024-45337",
838
+ "ruleIndex": 8,
839
+ "stacks": [],
840
+ "taxa": []
841
+ },
842
+ {
843
+ "attachments": [],
844
+ "codeFlows": [],
845
+ "fixes": [],
846
+ "graphTraversals": [],
847
+ "graphs": [],
848
+ "kind": "fail",
849
+ "level": "warning",
850
+ "locations": [
851
+ {
852
+ "annotations": [],
853
+ "id": -1,
854
+ "logicalLocations": [],
855
+ "physicalLocation": {
856
+ "artifactLocation": {
857
+ "index": -1,
858
+ "uri": "file:///usr/bin/tflint"
859
+ }
860
+ },
861
+ "relationships": []
862
+ }
863
+ ],
864
+ "message": {
865
+ "arguments": [],
866
+ "text": "Package 'golang.org/x/net@0.25.0' is vulnerable to 'CVE-2024-45338' (also known as 'GO-2024-3333', 'GHSA-w32m-9786-jp63')."
867
+ },
868
+ "rank": -1,
869
+ "relatedLocations": [],
870
+ "ruleId": "CVE-2024-45338",
871
+ "ruleIndex": 16,
872
+ "stacks": [],
873
+ "taxa": []
874
+ },
875
+ {
876
+ "attachments": [],
877
+ "codeFlows": [],
878
+ "fixes": [],
879
+ "graphTraversals": [],
880
+ "graphs": [],
881
+ "kind": "fail",
882
+ "level": "warning",
883
+ "locations": [
884
+ {
885
+ "annotations": [],
886
+ "id": -1,
887
+ "logicalLocations": [],
888
+ "physicalLocation": {
889
+ "artifactLocation": {
890
+ "index": -1,
891
+ "uri": "file:///usr/bin/tflint"
892
+ }
893
+ },
894
+ "relationships": []
895
+ }
896
+ ],
897
+ "message": {
898
+ "arguments": [],
899
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2024-45341' (also known as 'BIT-golang-2024-45341', 'GO-2025-3373')."
900
+ },
901
+ "rank": -1,
902
+ "relatedLocations": [],
903
+ "ruleId": "CVE-2024-45341",
904
+ "ruleIndex": 17,
905
+ "stacks": [],
906
+ "taxa": []
907
+ },
908
+ {
909
+ "attachments": [],
910
+ "codeFlows": [],
911
+ "fixes": [],
912
+ "graphTraversals": [],
913
+ "graphs": [],
914
+ "kind": "fail",
915
+ "level": "warning",
916
+ "locations": [
917
+ {
918
+ "annotations": [],
919
+ "id": -1,
920
+ "logicalLocations": [],
921
+ "physicalLocation": {
922
+ "artifactLocation": {
923
+ "index": -1,
924
+ "uri": "file:///usr/local/bin/actionlint"
925
+ }
926
+ },
927
+ "relationships": []
928
+ }
929
+ ],
930
+ "message": {
931
+ "arguments": [],
932
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2024-45341' (also known as 'BIT-golang-2024-45341', 'GO-2025-3373')."
933
+ },
934
+ "rank": -1,
935
+ "relatedLocations": [],
936
+ "ruleId": "CVE-2024-45341",
937
+ "ruleIndex": 17,
938
+ "stacks": [],
939
+ "taxa": []
940
+ },
941
+ {
942
+ "attachments": [],
943
+ "codeFlows": [],
944
+ "fixes": [],
945
+ "graphTraversals": [],
946
+ "graphs": [],
947
+ "kind": "fail",
948
+ "level": "warning",
949
+ "locations": [
950
+ {
951
+ "annotations": [],
952
+ "id": -1,
953
+ "logicalLocations": [],
954
+ "physicalLocation": {
955
+ "artifactLocation": {
956
+ "index": -1,
957
+ "uri": "file:///usr/bin/tflint"
958
+ }
959
+ },
960
+ "relationships": []
961
+ }
962
+ ],
963
+ "message": {
964
+ "arguments": [],
965
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2024-45336' (also known as 'BIT-golang-2024-45336', 'GO-2025-3420')."
966
+ },
967
+ "rank": -1,
968
+ "relatedLocations": [],
969
+ "ruleId": "CVE-2024-45336",
970
+ "ruleIndex": 18,
971
+ "stacks": [],
972
+ "taxa": []
973
+ },
974
+ {
975
+ "attachments": [],
976
+ "codeFlows": [],
977
+ "fixes": [],
978
+ "graphTraversals": [],
979
+ "graphs": [],
980
+ "kind": "fail",
981
+ "level": "warning",
982
+ "locations": [
983
+ {
984
+ "annotations": [],
985
+ "id": -1,
986
+ "logicalLocations": [],
987
+ "physicalLocation": {
988
+ "artifactLocation": {
989
+ "index": -1,
990
+ "uri": "file:///usr/local/bin/actionlint"
991
+ }
992
+ },
993
+ "relationships": []
994
+ }
995
+ ],
996
+ "message": {
997
+ "arguments": [],
998
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2024-45336' (also known as 'BIT-golang-2024-45336', 'GO-2025-3420')."
999
+ },
1000
+ "rank": -1,
1001
+ "relatedLocations": [],
1002
+ "ruleId": "CVE-2024-45336",
1003
+ "ruleIndex": 18,
1004
+ "stacks": [],
1005
+ "taxa": []
1006
+ },
1007
+ {
1008
+ "attachments": [],
1009
+ "codeFlows": [],
1010
+ "fixes": [],
1011
+ "graphTraversals": [],
1012
+ "graphs": [],
1013
+ "kind": "fail",
1014
+ "level": "warning",
1015
+ "locations": [
1016
+ {
1017
+ "annotations": [],
1018
+ "id": -1,
1019
+ "logicalLocations": [],
1020
+ "physicalLocation": {
1021
+ "artifactLocation": {
1022
+ "index": -1,
1023
+ "uri": "file:///usr/bin/tflint"
1024
+ }
1025
+ },
1026
+ "relationships": []
1027
+ }
1028
+ ],
1029
+ "message": {
1030
+ "arguments": [],
1031
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2025-22866' (also known as 'BIT-golang-2025-22866', 'GO-2025-3447')."
1032
+ },
1033
+ "rank": -1,
1034
+ "relatedLocations": [],
1035
+ "ruleId": "CVE-2025-22866",
1036
+ "ruleIndex": 19,
1037
+ "stacks": [],
1038
+ "taxa": []
1039
+ },
1040
+ {
1041
+ "attachments": [],
1042
+ "codeFlows": [],
1043
+ "fixes": [],
1044
+ "graphTraversals": [],
1045
+ "graphs": [],
1046
+ "kind": "fail",
1047
+ "level": "warning",
1048
+ "locations": [
1049
+ {
1050
+ "annotations": [],
1051
+ "id": -1,
1052
+ "logicalLocations": [],
1053
+ "physicalLocation": {
1054
+ "artifactLocation": {
1055
+ "index": -1,
1056
+ "uri": "file:///usr/local/bin/actionlint"
1057
+ }
1058
+ },
1059
+ "relationships": []
1060
+ }
1061
+ ],
1062
+ "message": {
1063
+ "arguments": [],
1064
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2025-22866' (also known as 'BIT-golang-2025-22866', 'GO-2025-3447')."
1065
+ },
1066
+ "rank": -1,
1067
+ "relatedLocations": [],
1068
+ "ruleId": "CVE-2025-22866",
1069
+ "ruleIndex": 19,
1070
+ "stacks": [],
1071
+ "taxa": []
1072
+ },
1073
+ {
1074
+ "attachments": [],
1075
+ "codeFlows": [],
1076
+ "fixes": [],
1077
+ "graphTraversals": [],
1078
+ "graphs": [],
1079
+ "kind": "fail",
1080
+ "level": "warning",
1081
+ "locations": [
1082
+ {
1083
+ "annotations": [],
1084
+ "id": -1,
1085
+ "logicalLocations": [],
1086
+ "physicalLocation": {
1087
+ "artifactLocation": {
1088
+ "index": -1,
1089
+ "uri": "file:///usr/bin/tflint"
1090
+ }
1091
+ },
1092
+ "relationships": []
1093
+ }
1094
+ ],
1095
+ "message": {
1096
+ "arguments": [],
1097
+ "text": "Package 'golang.org/x/crypto@0.23.0' is vulnerable to 'CVE-2025-22869' (also known as 'GO-2025-3487', 'GHSA-hcg3-q754-cr77')."
1098
+ },
1099
+ "rank": -1,
1100
+ "relatedLocations": [],
1101
+ "ruleId": "CVE-2025-22869",
1102
+ "ruleIndex": 5,
1103
+ "stacks": [],
1104
+ "taxa": []
1105
+ },
1106
+ {
1107
+ "attachments": [],
1108
+ "codeFlows": [],
1109
+ "fixes": [],
1110
+ "graphTraversals": [],
1111
+ "graphs": [],
1112
+ "kind": "fail",
1113
+ "level": "warning",
1114
+ "locations": [
1115
+ {
1116
+ "annotations": [],
1117
+ "id": -1,
1118
+ "logicalLocations": [],
1119
+ "physicalLocation": {
1120
+ "artifactLocation": {
1121
+ "index": -1,
1122
+ "uri": "file:///usr/bin/tflint"
1123
+ }
1124
+ },
1125
+ "relationships": []
1126
+ }
1127
+ ],
1128
+ "message": {
1129
+ "arguments": [],
1130
+ "text": "Package 'golang.org/x/oauth2@0.20.0' is vulnerable to 'CVE-2025-22868' (also known as 'GO-2025-3488', 'GHSA-6v2p-p543-phr9')."
1131
+ },
1132
+ "rank": -1,
1133
+ "relatedLocations": [],
1134
+ "ruleId": "CVE-2025-22868",
1135
+ "ruleIndex": 2,
1136
+ "stacks": [],
1137
+ "taxa": []
1138
+ },
1139
+ {
1140
+ "attachments": [],
1141
+ "codeFlows": [],
1142
+ "fixes": [],
1143
+ "graphTraversals": [],
1144
+ "graphs": [],
1145
+ "kind": "fail",
1146
+ "level": "warning",
1147
+ "locations": [
1148
+ {
1149
+ "annotations": [],
1150
+ "id": -1,
1151
+ "logicalLocations": [],
1152
+ "physicalLocation": {
1153
+ "artifactLocation": {
1154
+ "index": -1,
1155
+ "uri": "file:///usr/bin/tflint"
1156
+ }
1157
+ },
1158
+ "relationships": []
1159
+ }
1160
+ ],
1161
+ "message": {
1162
+ "arguments": [],
1163
+ "text": "Package 'golang.org/x/net@0.25.0' is vulnerable to 'CVE-2025-22870' (also known as 'GO-2025-3503', 'GHSA-qxp5-gwg8-xv66')."
1164
+ },
1165
+ "rank": -1,
1166
+ "relatedLocations": [],
1167
+ "ruleId": "CVE-2025-22870",
1168
+ "ruleIndex": 7,
1169
+ "stacks": [],
1170
+ "taxa": []
1171
+ },
1172
+ {
1173
+ "attachments": [],
1174
+ "codeFlows": [],
1175
+ "fixes": [],
1176
+ "graphTraversals": [],
1177
+ "graphs": [],
1178
+ "kind": "fail",
1179
+ "level": "warning",
1180
+ "locations": [
1181
+ {
1182
+ "annotations": [],
1183
+ "id": -1,
1184
+ "logicalLocations": [],
1185
+ "physicalLocation": {
1186
+ "artifactLocation": {
1187
+ "index": -1,
1188
+ "uri": "file:///usr/bin/tflint"
1189
+ }
1190
+ },
1191
+ "relationships": []
1192
+ }
1193
+ ],
1194
+ "message": {
1195
+ "arguments": [],
1196
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2025-22871' (also known as 'BIT-golang-2025-22871', 'GO-2025-3563')."
1197
+ },
1198
+ "rank": -1,
1199
+ "relatedLocations": [],
1200
+ "ruleId": "CVE-2025-22871",
1201
+ "ruleIndex": 20,
1202
+ "stacks": [],
1203
+ "taxa": []
1204
+ },
1205
+ {
1206
+ "attachments": [],
1207
+ "codeFlows": [],
1208
+ "fixes": [],
1209
+ "graphTraversals": [],
1210
+ "graphs": [],
1211
+ "kind": "fail",
1212
+ "level": "warning",
1213
+ "locations": [
1214
+ {
1215
+ "annotations": [],
1216
+ "id": -1,
1217
+ "logicalLocations": [],
1218
+ "physicalLocation": {
1219
+ "artifactLocation": {
1220
+ "index": -1,
1221
+ "uri": "file:///usr/local/bin/actionlint"
1222
+ }
1223
+ },
1224
+ "relationships": []
1225
+ }
1226
+ ],
1227
+ "message": {
1228
+ "arguments": [],
1229
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2025-22871' (also known as 'BIT-golang-2025-22871', 'GO-2025-3563')."
1230
+ },
1231
+ "rank": -1,
1232
+ "relatedLocations": [],
1233
+ "ruleId": "CVE-2025-22871",
1234
+ "ruleIndex": 20,
1235
+ "stacks": [],
1236
+ "taxa": []
1237
+ },
1238
+ {
1239
+ "attachments": [],
1240
+ "codeFlows": [],
1241
+ "fixes": [],
1242
+ "graphTraversals": [],
1243
+ "graphs": [],
1244
+ "kind": "fail",
1245
+ "level": "warning",
1246
+ "locations": [
1247
+ {
1248
+ "annotations": [],
1249
+ "id": -1,
1250
+ "logicalLocations": [],
1251
+ "physicalLocation": {
1252
+ "artifactLocation": {
1253
+ "index": -1,
1254
+ "uri": "file:///usr/bin/tflint"
1255
+ }
1256
+ },
1257
+ "relationships": []
1258
+ }
1259
+ ],
1260
+ "message": {
1261
+ "arguments": [],
1262
+ "text": "Package 'golang.org/x/net@0.25.0' is vulnerable to 'CVE-2025-22872' (also known as 'GO-2025-3595', 'GHSA-vvgc-356p-c3xw')."
1263
+ },
1264
+ "rank": -1,
1265
+ "relatedLocations": [],
1266
+ "ruleId": "CVE-2025-22872",
1267
+ "ruleIndex": 9,
1268
+ "stacks": [],
1269
+ "taxa": []
1270
+ },
1271
+ {
1272
+ "attachments": [],
1273
+ "codeFlows": [],
1274
+ "fixes": [],
1275
+ "graphTraversals": [],
1276
+ "graphs": [],
1277
+ "kind": "fail",
1278
+ "level": "warning",
1279
+ "locations": [
1280
+ {
1281
+ "annotations": [],
1282
+ "id": -1,
1283
+ "logicalLocations": [],
1284
+ "physicalLocation": {
1285
+ "artifactLocation": {
1286
+ "index": -1,
1287
+ "uri": "file:///usr/local/bin/terraform"
1288
+ }
1289
+ },
1290
+ "relationships": []
1291
+ }
1292
+ ],
1293
+ "message": {
1294
+ "arguments": [],
1295
+ "text": "Package 'stdlib@1.24.2' is vulnerable to 'CVE-2025-22874' (also known as 'BIT-golang-2025-22874', 'GO-2025-3749')."
1296
+ },
1297
+ "rank": -1,
1298
+ "relatedLocations": [],
1299
+ "ruleId": "CVE-2025-22874",
1300
+ "ruleIndex": 21,
1301
+ "stacks": [],
1302
+ "taxa": []
1303
+ },
1304
+ {
1305
+ "attachments": [],
1306
+ "codeFlows": [],
1307
+ "fixes": [],
1308
+ "graphTraversals": [],
1309
+ "graphs": [],
1310
+ "kind": "fail",
1311
+ "level": "warning",
1312
+ "locations": [
1313
+ {
1314
+ "annotations": [],
1315
+ "id": -1,
1316
+ "logicalLocations": [],
1317
+ "physicalLocation": {
1318
+ "artifactLocation": {
1319
+ "index": -1,
1320
+ "uri": "file:///usr/bin/tflint"
1321
+ }
1322
+ },
1323
+ "relationships": []
1324
+ }
1325
+ ],
1326
+ "message": {
1327
+ "arguments": [],
1328
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2025-0913' (also known as 'BIT-golang-2025-0913', 'GO-2025-3750')."
1329
+ },
1330
+ "rank": -1,
1331
+ "relatedLocations": [],
1332
+ "ruleId": "CVE-2025-0913",
1333
+ "ruleIndex": 22,
1334
+ "stacks": [],
1335
+ "taxa": []
1336
+ },
1337
+ {
1338
+ "attachments": [],
1339
+ "codeFlows": [],
1340
+ "fixes": [],
1341
+ "graphTraversals": [],
1342
+ "graphs": [],
1343
+ "kind": "fail",
1344
+ "level": "warning",
1345
+ "locations": [
1346
+ {
1347
+ "annotations": [],
1348
+ "id": -1,
1349
+ "logicalLocations": [],
1350
+ "physicalLocation": {
1351
+ "artifactLocation": {
1352
+ "index": -1,
1353
+ "uri": "file:///usr/local/bin/actionlint"
1354
+ }
1355
+ },
1356
+ "relationships": []
1357
+ }
1358
+ ],
1359
+ "message": {
1360
+ "arguments": [],
1361
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2025-0913' (also known as 'BIT-golang-2025-0913', 'GO-2025-3750')."
1362
+ },
1363
+ "rank": -1,
1364
+ "relatedLocations": [],
1365
+ "ruleId": "CVE-2025-0913",
1366
+ "ruleIndex": 22,
1367
+ "stacks": [],
1368
+ "taxa": []
1369
+ },
1370
+ {
1371
+ "attachments": [],
1372
+ "codeFlows": [],
1373
+ "fixes": [],
1374
+ "graphTraversals": [],
1375
+ "graphs": [],
1376
+ "kind": "fail",
1377
+ "level": "warning",
1378
+ "locations": [
1379
+ {
1380
+ "annotations": [],
1381
+ "id": -1,
1382
+ "logicalLocations": [],
1383
+ "physicalLocation": {
1384
+ "artifactLocation": {
1385
+ "index": -1,
1386
+ "uri": "file:///usr/local/bin/terraform"
1387
+ }
1388
+ },
1389
+ "relationships": []
1390
+ }
1391
+ ],
1392
+ "message": {
1393
+ "arguments": [],
1394
+ "text": "Package 'stdlib@1.24.2' is vulnerable to 'CVE-2025-0913' (also known as 'BIT-golang-2025-0913', 'GO-2025-3750')."
1395
+ },
1396
+ "rank": -1,
1397
+ "relatedLocations": [],
1398
+ "ruleId": "CVE-2025-0913",
1399
+ "ruleIndex": 22,
1400
+ "stacks": [],
1401
+ "taxa": []
1402
+ },
1403
+ {
1404
+ "attachments": [],
1405
+ "codeFlows": [],
1406
+ "fixes": [],
1407
+ "graphTraversals": [],
1408
+ "graphs": [],
1409
+ "kind": "fail",
1410
+ "level": "warning",
1411
+ "locations": [
1412
+ {
1413
+ "annotations": [],
1414
+ "id": -1,
1415
+ "logicalLocations": [],
1416
+ "physicalLocation": {
1417
+ "artifactLocation": {
1418
+ "index": -1,
1419
+ "uri": "file:///usr/bin/tflint"
1420
+ }
1421
+ },
1422
+ "relationships": []
1423
+ }
1424
+ ],
1425
+ "message": {
1426
+ "arguments": [],
1427
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2025-4673' (also known as 'BIT-golang-2025-4673', 'GO-2025-3751')."
1428
+ },
1429
+ "rank": -1,
1430
+ "relatedLocations": [],
1431
+ "ruleId": "CVE-2025-4673",
1432
+ "ruleIndex": 23,
1433
+ "stacks": [],
1434
+ "taxa": []
1435
+ },
1436
+ {
1437
+ "attachments": [],
1438
+ "codeFlows": [],
1439
+ "fixes": [],
1440
+ "graphTraversals": [],
1441
+ "graphs": [],
1442
+ "kind": "fail",
1443
+ "level": "warning",
1444
+ "locations": [
1445
+ {
1446
+ "annotations": [],
1447
+ "id": -1,
1448
+ "logicalLocations": [],
1449
+ "physicalLocation": {
1450
+ "artifactLocation": {
1451
+ "index": -1,
1452
+ "uri": "file:///usr/local/bin/actionlint"
1453
+ }
1454
+ },
1455
+ "relationships": []
1456
+ }
1457
+ ],
1458
+ "message": {
1459
+ "arguments": [],
1460
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2025-4673' (also known as 'BIT-golang-2025-4673', 'GO-2025-3751')."
1461
+ },
1462
+ "rank": -1,
1463
+ "relatedLocations": [],
1464
+ "ruleId": "CVE-2025-4673",
1465
+ "ruleIndex": 23,
1466
+ "stacks": [],
1467
+ "taxa": []
1468
+ },
1469
+ {
1470
+ "attachments": [],
1471
+ "codeFlows": [],
1472
+ "fixes": [],
1473
+ "graphTraversals": [],
1474
+ "graphs": [],
1475
+ "kind": "fail",
1476
+ "level": "warning",
1477
+ "locations": [
1478
+ {
1479
+ "annotations": [],
1480
+ "id": -1,
1481
+ "logicalLocations": [],
1482
+ "physicalLocation": {
1483
+ "artifactLocation": {
1484
+ "index": -1,
1485
+ "uri": "file:///usr/local/bin/terraform"
1486
+ }
1487
+ },
1488
+ "relationships": []
1489
+ }
1490
+ ],
1491
+ "message": {
1492
+ "arguments": [],
1493
+ "text": "Package 'stdlib@1.24.2' is vulnerable to 'CVE-2025-4673' (also known as 'BIT-golang-2025-4673', 'GO-2025-3751')."
1494
+ },
1495
+ "rank": -1,
1496
+ "relatedLocations": [],
1497
+ "ruleId": "CVE-2025-4673",
1498
+ "ruleIndex": 23,
1499
+ "stacks": [],
1500
+ "taxa": []
1501
+ },
1502
+ {
1503
+ "attachments": [],
1504
+ "codeFlows": [],
1505
+ "fixes": [],
1506
+ "graphTraversals": [],
1507
+ "graphs": [],
1508
+ "kind": "fail",
1509
+ "level": "warning",
1510
+ "locations": [
1511
+ {
1512
+ "annotations": [],
1513
+ "id": -1,
1514
+ "logicalLocations": [],
1515
+ "physicalLocation": {
1516
+ "artifactLocation": {
1517
+ "index": -1,
1518
+ "uri": "file:///usr/bin/tflint"
1519
+ }
1520
+ },
1521
+ "relationships": []
1522
+ }
1523
+ ],
1524
+ "message": {
1525
+ "arguments": [],
1526
+ "text": "Package 'github.com/cloudflare/circl@1.3.7' is vulnerable to 'CVE-2025-8556' (also known as 'GO-2025-3754', 'GHSA-2x5j-vhc8-9cwm')."
1527
+ },
1528
+ "rank": -1,
1529
+ "relatedLocations": [],
1530
+ "ruleId": "CVE-2025-8556",
1531
+ "ruleIndex": 0,
1532
+ "stacks": [],
1533
+ "taxa": []
1534
+ },
1535
+ {
1536
+ "attachments": [],
1537
+ "codeFlows": [],
1538
+ "fixes": [],
1539
+ "graphTraversals": [],
1540
+ "graphs": [],
1541
+ "kind": "fail",
1542
+ "level": "warning",
1543
+ "locations": [
1544
+ {
1545
+ "annotations": [],
1546
+ "id": -1,
1547
+ "logicalLocations": [],
1548
+ "physicalLocation": {
1549
+ "artifactLocation": {
1550
+ "index": -1,
1551
+ "uri": "file:///usr/local/bin/terraform"
1552
+ }
1553
+ },
1554
+ "relationships": []
1555
+ }
1556
+ ],
1557
+ "message": {
1558
+ "arguments": [],
1559
+ "text": "Package 'github.com/cloudflare/circl@1.4.0' is vulnerable to 'CVE-2025-8556' (also known as 'GO-2025-3754', 'GHSA-2x5j-vhc8-9cwm')."
1560
+ },
1561
+ "rank": -1,
1562
+ "relatedLocations": [],
1563
+ "ruleId": "CVE-2025-8556",
1564
+ "ruleIndex": 0,
1565
+ "stacks": [],
1566
+ "taxa": []
1567
+ },
1568
+ {
1569
+ "attachments": [],
1570
+ "codeFlows": [],
1571
+ "fixes": [],
1572
+ "graphTraversals": [],
1573
+ "graphs": [],
1574
+ "kind": "fail",
1575
+ "level": "warning",
1576
+ "locations": [
1577
+ {
1578
+ "annotations": [],
1579
+ "id": -1,
1580
+ "logicalLocations": [],
1581
+ "physicalLocation": {
1582
+ "artifactLocation": {
1583
+ "index": -1,
1584
+ "uri": "file:///usr/bin/tflint"
1585
+ }
1586
+ },
1587
+ "relationships": []
1588
+ }
1589
+ ],
1590
+ "message": {
1591
+ "arguments": [],
1592
+ "text": "Package 'stdlib@1.22.5' is vulnerable to 'CVE-2025-47907' (also known as 'GO-2025-3849')."
1593
+ },
1594
+ "rank": -1,
1595
+ "relatedLocations": [],
1596
+ "ruleId": "CVE-2025-47907",
1597
+ "ruleIndex": 24,
1598
+ "stacks": [],
1599
+ "taxa": []
1600
+ },
1601
+ {
1602
+ "attachments": [],
1603
+ "codeFlows": [],
1604
+ "fixes": [],
1605
+ "graphTraversals": [],
1606
+ "graphs": [],
1607
+ "kind": "fail",
1608
+ "level": "warning",
1609
+ "locations": [
1610
+ {
1611
+ "annotations": [],
1612
+ "id": -1,
1613
+ "logicalLocations": [],
1614
+ "physicalLocation": {
1615
+ "artifactLocation": {
1616
+ "index": -1,
1617
+ "uri": "file:///usr/local/bin/actionlint"
1618
+ }
1619
+ },
1620
+ "relationships": []
1621
+ }
1622
+ ],
1623
+ "message": {
1624
+ "arguments": [],
1625
+ "text": "Package 'stdlib@1.23.4' is vulnerable to 'CVE-2025-47907' (also known as 'GO-2025-3849')."
1626
+ },
1627
+ "rank": -1,
1628
+ "relatedLocations": [],
1629
+ "ruleId": "CVE-2025-47907",
1630
+ "ruleIndex": 24,
1631
+ "stacks": [],
1632
+ "taxa": []
1633
+ },
1634
+ {
1635
+ "attachments": [],
1636
+ "codeFlows": [],
1637
+ "fixes": [],
1638
+ "graphTraversals": [],
1639
+ "graphs": [],
1640
+ "kind": "fail",
1641
+ "level": "warning",
1642
+ "locations": [
1643
+ {
1644
+ "annotations": [],
1645
+ "id": -1,
1646
+ "logicalLocations": [],
1647
+ "physicalLocation": {
1648
+ "artifactLocation": {
1649
+ "index": -1,
1650
+ "uri": "file:///usr/local/bin/terraform"
1651
+ }
1652
+ },
1653
+ "relationships": []
1654
+ }
1655
+ ],
1656
+ "message": {
1657
+ "arguments": [],
1658
+ "text": "Package 'stdlib@1.24.2' is vulnerable to 'CVE-2025-47907' (also known as 'GO-2025-3849')."
1659
+ },
1660
+ "rank": -1,
1661
+ "relatedLocations": [],
1662
+ "ruleId": "CVE-2025-47907",
1663
+ "ruleIndex": 24,
1664
+ "stacks": [],
1665
+ "taxa": []
1666
+ }
1667
+ ],
1668
+ "runAggregates": [],
1669
+ "taxonomies": [],
1670
+ "threadFlowLocations": [],
1671
+ "tool": {
1672
+ "driver": {
1673
+ "contents": [
1674
+ "localizedData",
1675
+ "nonLocalizedData"
1676
+ ],
1677
+ "informationUri": "https://github.com/google/osv-scanner",
1678
+ "isComprehensive": false,
1679
+ "language": "en-US",
1680
+ "locations": [],
1681
+ "name": "osv-scanner",
1682
+ "notifications": [],
1683
+ "rules": [
1684
+ {
1685
+ "deprecatedIds": [
1686
+ "CVE-2025-8556",
1687
+ "GO-2025-3754",
1688
+ "GHSA-2x5j-vhc8-9cwm"
1689
+ ],
1690
+ "fullDescription": {
1691
+ "markdown": "CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl",
1692
+ "text": "CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl"
1693
+ },
1694
+ "help": {
1695
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-8556](https://osv.dev/CVE-2025-8556)**\n(Also published as: [GO-2025-3754](https://osv.dev/GO-2025-3754), [GHSA-2x5j-vhc8-9cwm](https://osv.dev/GHSA-2x5j-vhc8-9cwm), ).\n\n## [GO-2025-3754](https://osv.dev/GO-2025-3754)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl\n\n\u003c/details\u003e\n\n## [GHSA-2x5j-vhc8-9cwm](https://osv.dev/GHSA-2x5j-vhc8-9cwm)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.\n\u003e \n\u003e Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.\n\u003e \n\u003e \n\u003e ### Patches\n\u003e Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.\n\u003e \n\u003e We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/cloudflare/circl | 1.3.7 |\n| artifact:/usr/local/bin/terraform | github.com/cloudflare/circl | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2x5j-vhc8-9cwm | github.com/cloudflare/circl | 1.6.1 |\n| GO-2025-3754 | github.com/cloudflare/circl | 1.6.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-8556\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-8556\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1696
+ "text": "**Your dependency is vulnerable to [CVE-2025-8556](https://osv.dev/CVE-2025-8556)**\n(Also published as: [GO-2025-3754](https://osv.dev/GO-2025-3754), [GHSA-2x5j-vhc8-9cwm](https://osv.dev/GHSA-2x5j-vhc8-9cwm), ).\n\n## [GO-2025-3754](https://osv.dev/GO-2025-3754)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl\n\n\u003c/details\u003e\n\n## [GHSA-2x5j-vhc8-9cwm](https://osv.dev/GHSA-2x5j-vhc8-9cwm)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Impact\n\u003e The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.\n\u003e \n\u003e Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.\n\u003e \n\u003e \n\u003e ### Patches\n\u003e Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.\n\u003e \n\u003e We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/cloudflare/circl | 1.3.7 |\n| artifact:/usr/local/bin/terraform | github.com/cloudflare/circl | 1.4.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-2x5j-vhc8-9cwm | github.com/cloudflare/circl | 1.6.1 |\n| GO-2025-3754 | github.com/cloudflare/circl | 1.6.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-8556\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-8556\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1697
+ },
1698
+ "id": "CVE-2025-8556",
1699
+ "name": "CVE-2025-8556",
1700
+ "properties": {
1701
+ "security-severity": "3.7"
1702
+ },
1703
+ "relationships": [],
1704
+ "shortDescription": {
1705
+ "markdown": "CVE-2025-8556: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl",
1706
+ "text": "CVE-2025-8556: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl"
1707
+ }
1708
+ },
1709
+ {
1710
+ "deprecatedIds": [
1711
+ "CVE-2020-8908",
1712
+ "CGA-7rjh-334q-pq8g",
1713
+ "GHSA-5mg8-w23w-74h3"
1714
+ ],
1715
+ "fullDescription": {
1716
+ "markdown": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n",
1717
+ "text": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n"
1718
+ },
1719
+ "help": {
1720
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-8908](https://osv.dev/CVE-2020-8908)**.\n\n## [GHSA-5mg8-w23w-74h3](https://osv.dev/GHSA-5mg8-w23w-74h3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar | com.google.guava:guava | 30.1-jre |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | com.google.guava:guava | 30.1-jre |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-5mg8-w23w-74h3 | com.google.guava:guava | 32.0.0-android |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8908\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1721
+ "text": "**Your dependency is vulnerable to [CVE-2020-8908](https://osv.dev/CVE-2020-8908)**.\n\n## [GHSA-5mg8-w23w-74h3](https://osv.dev/GHSA-5mg8-w23w-74h3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar | com.google.guava:guava | 30.1-jre |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | com.google.guava:guava | 30.1-jre |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-5mg8-w23w-74h3 | com.google.guava:guava | 32.0.0-android |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8908\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1722
+ },
1723
+ "id": "CVE-2020-8908",
1724
+ "name": "CVE-2020-8908",
1725
+ "properties": {
1726
+ "security-severity": "3.3"
1727
+ },
1728
+ "relationships": [],
1729
+ "shortDescription": {
1730
+ "markdown": "CVE-2020-8908: Information Disclosure in Guava",
1731
+ "text": "CVE-2020-8908: Information Disclosure in Guava"
1732
+ }
1733
+ },
1734
+ {
1735
+ "deprecatedIds": [
1736
+ "CVE-2025-22868",
1737
+ "GO-2025-3488",
1738
+ "GHSA-6v2p-p543-phr9"
1739
+ ],
1740
+ "fullDescription": {
1741
+ "markdown": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
1742
+ "text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing."
1743
+ },
1744
+ "help": {
1745
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22868](https://osv.dev/CVE-2025-22868)**\n(Also published as: [GO-2025-3488](https://osv.dev/GO-2025-3488), [GHSA-6v2p-p543-phr9](https://osv.dev/GHSA-6v2p-p543-phr9), ).\n\n## [GO-2025-3488](https://osv.dev/GO-2025-3488)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.\n\n\u003c/details\u003e\n\n## [GHSA-6v2p-p543-phr9](https://osv.dev/GHSA-6v2p-p543-phr9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/oauth2 | 0.20.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | 0.27.0 |\n| GO-2025-3488 | golang.org/x/oauth2 | 0.27.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22868\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1746
+ "text": "**Your dependency is vulnerable to [CVE-2025-22868](https://osv.dev/CVE-2025-22868)**\n(Also published as: [GO-2025-3488](https://osv.dev/GO-2025-3488), [GHSA-6v2p-p543-phr9](https://osv.dev/GHSA-6v2p-p543-phr9), ).\n\n## [GO-2025-3488](https://osv.dev/GO-2025-3488)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.\n\n\u003c/details\u003e\n\n## [GHSA-6v2p-p543-phr9](https://osv.dev/GHSA-6v2p-p543-phr9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/oauth2 | 0.20.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | 0.27.0 |\n| GO-2025-3488 | golang.org/x/oauth2 | 0.27.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22868\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1747
+ },
1748
+ "id": "CVE-2025-22868",
1749
+ "name": "CVE-2025-22868",
1750
+ "properties": {
1751
+ "security-severity": "7.5"
1752
+ },
1753
+ "relationships": [],
1754
+ "shortDescription": {
1755
+ "markdown": "CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2",
1756
+ "text": "CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2"
1757
+ }
1758
+ },
1759
+ {
1760
+ "deprecatedIds": [
1761
+ "CVE-2024-7254",
1762
+ "GHSA-735f-pc8j-v9w8"
1763
+ ],
1764
+ "fullDescription": {
1765
+ "markdown": "### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\nAffected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\nThis is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)",
1766
+ "text": "### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\nAffected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\nThis is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)"
1767
+ },
1768
+ "help": {
1769
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-7254](https://osv.dev/CVE-2024-7254)**.\n\n## [GHSA-735f-pc8j-v9w8](https://osv.dev/GHSA-735f-pc8j-v9w8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Summary\n\u003e When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\u003e \n\u003e Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\u003e \n\u003e Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\u003e \n\u003e ### Severity\n\u003e [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\n\u003e This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\u003e \n\u003e ### Proof of Concept\n\u003e For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\u003e \n\u003e ### Remediation and Mitigation\n\u003e We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n\u003e * protobuf-java (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n\u003e * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar | com.google.protobuf:protobuf-java | 3.19.6 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-735f-pc8j-v9w8 | google-protobuf | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-java | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-javalite | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-kotlin | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-kotlin-lite | 3.25.5, 4.27.5, 4.28.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-7254\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1770
+ "text": "**Your dependency is vulnerable to [CVE-2024-7254](https://osv.dev/CVE-2024-7254)**.\n\n## [GHSA-735f-pc8j-v9w8](https://osv.dev/GHSA-735f-pc8j-v9w8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ### Summary\n\u003e When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\u003e \n\u003e Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\u003e \n\u003e Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\u003e \n\u003e ### Severity\n\u003e [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\n\u003e This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\u003e \n\u003e ### Proof of Concept\n\u003e For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\u003e \n\u003e ### Remediation and Mitigation\n\u003e We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n\u003e * protobuf-java (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n\u003e * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n\u003e * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/protobuf-java-3.19.6.jar | com.google.protobuf:protobuf-java | 3.19.6 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-735f-pc8j-v9w8 | google-protobuf | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-java | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-javalite | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-kotlin | 3.25.5, 4.27.5, 4.28.2 |\n| GHSA-735f-pc8j-v9w8 | com.google.protobuf:protobuf-kotlin-lite | 3.25.5, 4.27.5, 4.28.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.19.6/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-7254\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1771
+ },
1772
+ "id": "CVE-2024-7254",
1773
+ "name": "CVE-2024-7254",
1774
+ "properties": {
1775
+ "security-severity": "8.7"
1776
+ },
1777
+ "relationships": [],
1778
+ "shortDescription": {
1779
+ "markdown": "CVE-2024-7254: protobuf-java has potential Denial of Service issue",
1780
+ "text": "CVE-2024-7254: protobuf-java has potential Denial of Service issue"
1781
+ }
1782
+ },
1783
+ {
1784
+ "deprecatedIds": [
1785
+ "CVE-2023-2976",
1786
+ "CGA-g8pm-vcpp-9jxq",
1787
+ "GHSA-7g45-4rm6-3mm3"
1788
+ ],
1789
+ "fullDescription": {
1790
+ "markdown": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.",
1791
+ "text": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows."
1792
+ },
1793
+ "help": {
1794
+ "markdown": "**Your dependency is vulnerable to [CVE-2023-2976](https://osv.dev/CVE-2023-2976)**.\n\n## [GHSA-7g45-4rm6-3mm3](https://osv.dev/GHSA-7g45-4rm6-3mm3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\u003e \n\u003e Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar | com.google.guava:guava | 30.1-jre |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | com.google.guava:guava | 30.1-jre |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-7g45-4rm6-3mm3 | com.google.guava:guava | 32.0.0-android |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-2976\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1795
+ "text": "**Your dependency is vulnerable to [CVE-2023-2976](https://osv.dev/CVE-2023-2976)**.\n\n## [GHSA-7g45-4rm6-3mm3](https://osv.dev/GHSA-7g45-4rm6-3mm3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\u003e \n\u003e Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre-sources.jar | com.google.guava:guava | 30.1-jre |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar | com.google.guava:guava | 30.1-jre |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-7g45-4rm6-3mm3 | com.google.guava:guava | 32.0.0-android |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/guava/guava/30.1-jre/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-2976\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1796
+ },
1797
+ "id": "CVE-2023-2976",
1798
+ "name": "CVE-2023-2976",
1799
+ "properties": {
1800
+ "security-severity": "5.5"
1801
+ },
1802
+ "relationships": [],
1803
+ "shortDescription": {
1804
+ "markdown": "CVE-2023-2976: Guava vulnerable to insecure use of temporary directory",
1805
+ "text": "CVE-2023-2976: Guava vulnerable to insecure use of temporary directory"
1806
+ }
1807
+ },
1808
+ {
1809
+ "deprecatedIds": [
1810
+ "CVE-2025-22869",
1811
+ "GO-2025-3487",
1812
+ "GHSA-hcg3-q754-cr77"
1813
+ ],
1814
+ "fullDescription": {
1815
+ "markdown": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
1816
+ "text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted."
1817
+ },
1818
+ "help": {
1819
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22869](https://osv.dev/CVE-2025-22869)**\n(Also published as: [GO-2025-3487](https://osv.dev/GO-2025-3487), [GHSA-hcg3-q754-cr77](https://osv.dev/GHSA-hcg3-q754-cr77), ).\n\n## [GO-2025-3487](https://osv.dev/GO-2025-3487)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.\n\n\u003c/details\u003e\n\n## [GHSA-hcg3-q754-cr77](https://osv.dev/GHSA-hcg3-q754-cr77)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/crypto | 0.23.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hcg3-q754-cr77 | golang.org/x/crypto | 0.35.0 |\n| GO-2025-3487 | golang.org/x/crypto | 0.35.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22869\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1820
+ "text": "**Your dependency is vulnerable to [CVE-2025-22869](https://osv.dev/CVE-2025-22869)**\n(Also published as: [GO-2025-3487](https://osv.dev/GO-2025-3487), [GHSA-hcg3-q754-cr77](https://osv.dev/GHSA-hcg3-q754-cr77), ).\n\n## [GO-2025-3487](https://osv.dev/GO-2025-3487)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.\n\n\u003c/details\u003e\n\n## [GHSA-hcg3-q754-cr77](https://osv.dev/GHSA-hcg3-q754-cr77)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/crypto | 0.23.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-hcg3-q754-cr77 | golang.org/x/crypto | 0.35.0 |\n| GO-2025-3487 | golang.org/x/crypto | 0.35.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22869\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1821
+ },
1822
+ "id": "CVE-2025-22869",
1823
+ "name": "CVE-2025-22869",
1824
+ "properties": {
1825
+ "security-severity": "7.5"
1826
+ },
1827
+ "relationships": [],
1828
+ "shortDescription": {
1829
+ "markdown": "CVE-2025-22869: Potential denial of service in golang.org/x/crypto",
1830
+ "text": "CVE-2025-22869: Potential denial of service in golang.org/x/crypto"
1831
+ }
1832
+ },
1833
+ {
1834
+ "deprecatedIds": [
1835
+ "CVE-2025-48924",
1836
+ "GHSA-j288-q9x7-2f5v"
1837
+ ],
1838
+ "fullDescription": {
1839
+ "markdown": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
1840
+ "text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue."
1841
+ },
1842
+ "help": {
1843
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-48924](https://osv.dev/CVE-2025-48924)**.\n\n## [GHSA-j288-q9x7-2f5v](https://osv.dev/GHSA-j288-q9x7-2f5v)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\u003e \n\u003e This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\u003e \n\u003e The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\u003e \n\u003e Users are recommended to upgrade to version 3.18.0, which fixes the issue.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar | org.apache.commons:commons-lang3 | 3.14.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-j288-q9x7-2f5v | org.apache.commons:commons-lang3 | 3.18.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-48924\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1844
+ "text": "**Your dependency is vulnerable to [CVE-2025-48924](https://osv.dev/CVE-2025-48924)**.\n\n## [GHSA-j288-q9x7-2f5v](https://osv.dev/GHSA-j288-q9x7-2f5v)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\u003e \n\u003e This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\u003e \n\u003e The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\u003e \n\u003e Users are recommended to upgrade to version 3.18.0, which fixes the issue.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar | org.apache.commons:commons-lang3 | 3.14.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-j288-q9x7-2f5v | org.apache.commons:commons-lang3 | 3.18.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/root/.cache/coursier/v1/https/repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-48924\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1845
+ },
1846
+ "id": "CVE-2025-48924",
1847
+ "name": "CVE-2025-48924",
1848
+ "properties": {
1849
+ "security-severity": "6.5"
1850
+ },
1851
+ "relationships": [],
1852
+ "shortDescription": {
1853
+ "markdown": "CVE-2025-48924: Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs",
1854
+ "text": "CVE-2025-48924: Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs"
1855
+ }
1856
+ },
1857
+ {
1858
+ "deprecatedIds": [
1859
+ "CVE-2025-22870",
1860
+ "GO-2025-3503",
1861
+ "GHSA-qxp5-gwg8-xv66"
1862
+ ],
1863
+ "fullDescription": {
1864
+ "markdown": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
1865
+ "text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied."
1866
+ },
1867
+ "help": {
1868
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22870](https://osv.dev/CVE-2025-22870)**\n(Also published as: [GO-2025-3503](https://osv.dev/GO-2025-3503), [GHSA-qxp5-gwg8-xv66](https://osv.dev/GHSA-qxp5-gwg8-xv66), ).\n\n## [GO-2025-3503](https://osv.dev/GO-2025-3503)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.\n\n\u003c/details\u003e\n\n## [GHSA-qxp5-gwg8-xv66](https://osv.dev/GHSA-qxp5-gwg8-xv66)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-qxp5-gwg8-xv66 | golang.org/x/net | 0.36.0 |\n| GO-2025-3503 | golang.org/x/net | 0.36.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22870\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1869
+ "text": "**Your dependency is vulnerable to [CVE-2025-22870](https://osv.dev/CVE-2025-22870)**\n(Also published as: [GO-2025-3503](https://osv.dev/GO-2025-3503), [GHSA-qxp5-gwg8-xv66](https://osv.dev/GHSA-qxp5-gwg8-xv66), ).\n\n## [GO-2025-3503](https://osv.dev/GO-2025-3503)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.\n\n\u003c/details\u003e\n\n## [GHSA-qxp5-gwg8-xv66](https://osv.dev/GHSA-qxp5-gwg8-xv66)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-qxp5-gwg8-xv66 | golang.org/x/net | 0.36.0 |\n| GO-2025-3503 | golang.org/x/net | 0.36.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22870\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1870
+ },
1871
+ "id": "CVE-2025-22870",
1872
+ "name": "CVE-2025-22870",
1873
+ "properties": {
1874
+ "security-severity": "4.4"
1875
+ },
1876
+ "relationships": [],
1877
+ "shortDescription": {
1878
+ "markdown": "CVE-2025-22870: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net",
1879
+ "text": "CVE-2025-22870: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
1880
+ }
1881
+ },
1882
+ {
1883
+ "deprecatedIds": [
1884
+ "CVE-2024-45337",
1885
+ "GO-2024-3321",
1886
+ "GHSA-v778-237x-gjrc"
1887
+ ],
1888
+ "fullDescription": {
1889
+ "markdown": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\nThe documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\nFor example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\nSince this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\nUsers should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
1890
+ "text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\nThe documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\nFor example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\nSince this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\nUsers should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance."
1891
+ },
1892
+ "help": {
1893
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-45337](https://osv.dev/CVE-2024-45337)**\n(Also published as: [GO-2024-3321](https://osv.dev/GO-2024-3321), [GHSA-v778-237x-gjrc](https://osv.dev/GHSA-v778-237x-gjrc), ).\n\n## [GO-2024-3321](https://osv.dev/GO-2024-3321)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\u003e \n\u003e The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\u003e \n\u003e For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\u003e \n\u003e Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\u003e \n\u003e Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\n\n\u003c/details\u003e\n\n## [GHSA-v778-237x-gjrc](https://osv.dev/GHSA-v778-237x-gjrc)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.\n\u003e \n\u003e The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\u003e \n\u003e For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\u003e \n\u003e Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\u003e \n\u003e Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/crypto | 0.23.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-v778-237x-gjrc | golang.org/x/crypto | 0.31.0 |\n| GO-2024-3321 | golang.org/x/crypto | 0.31.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45337\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1894
+ "text": "**Your dependency is vulnerable to [CVE-2024-45337](https://osv.dev/CVE-2024-45337)**\n(Also published as: [GO-2024-3321](https://osv.dev/GO-2024-3321), [GHSA-v778-237x-gjrc](https://osv.dev/GHSA-v778-237x-gjrc), ).\n\n## [GO-2024-3321](https://osv.dev/GO-2024-3321)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass.\n\u003e \n\u003e The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\u003e \n\u003e For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\u003e \n\u003e Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\u003e \n\u003e Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\n\n\u003c/details\u003e\n\n## [GHSA-v778-237x-gjrc](https://osv.dev/GHSA-v778-237x-gjrc)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.\n\u003e \n\u003e The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\u003e \n\u003e For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\u003e \n\u003e Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\u003e \n\u003e Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/crypto | 0.23.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-v778-237x-gjrc | golang.org/x/crypto | 0.31.0 |\n| GO-2024-3321 | golang.org/x/crypto | 0.31.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45337\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1895
+ },
1896
+ "id": "CVE-2024-45337",
1897
+ "name": "CVE-2024-45337",
1898
+ "properties": {
1899
+ "security-severity": "9.1"
1900
+ },
1901
+ "relationships": [],
1902
+ "shortDescription": {
1903
+ "markdown": "CVE-2024-45337: Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto",
1904
+ "text": "CVE-2024-45337: Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto"
1905
+ }
1906
+ },
1907
+ {
1908
+ "deprecatedIds": [
1909
+ "CVE-2025-22872",
1910
+ "GO-2025-3595",
1911
+ "GHSA-vvgc-356p-c3xw"
1912
+ ],
1913
+ "fullDescription": {
1914
+ "markdown": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
1915
+ "text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
1916
+ },
1917
+ "help": {
1918
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22872](https://osv.dev/CVE-2025-22872)**\n(Also published as: [GO-2025-3595](https://osv.dev/GO-2025-3595), [GHSA-vvgc-356p-c3xw](https://osv.dev/GHSA-vvgc-356p-c3xw), ).\n\n## [GO-2025-3595](https://osv.dev/GO-2025-3595)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).\n\n\u003c/details\u003e\n\n## [GHSA-vvgc-356p-c3xw](https://osv.dev/GHSA-vvgc-356p-c3xw)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-vvgc-356p-c3xw | golang.org/x/net | 0.38.0 |\n| GO-2025-3595 | golang.org/x/net | 0.38.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22872\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1919
+ "text": "**Your dependency is vulnerable to [CVE-2025-22872](https://osv.dev/CVE-2025-22872)**\n(Also published as: [GO-2025-3595](https://osv.dev/GO-2025-3595), [GHSA-vvgc-356p-c3xw](https://osv.dev/GHSA-vvgc-356p-c3xw), ).\n\n## [GO-2025-3595](https://osv.dev/GO-2025-3595)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).\n\n\u003c/details\u003e\n\n## [GHSA-vvgc-356p-c3xw](https://osv.dev/GHSA-vvgc-356p-c3xw)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-vvgc-356p-c3xw | golang.org/x/net | 0.38.0 |\n| GO-2025-3595 | golang.org/x/net | 0.38.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22872\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1920
+ },
1921
+ "id": "CVE-2025-22872",
1922
+ "name": "CVE-2025-22872",
1923
+ "properties": {
1924
+ "security-severity": "5.3"
1925
+ },
1926
+ "relationships": [],
1927
+ "shortDescription": {
1928
+ "markdown": "CVE-2025-22872: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net",
1929
+ "text": "CVE-2025-22872: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net"
1930
+ }
1931
+ },
1932
+ {
1933
+ "deprecatedIds": [
1934
+ "CVE-2024-6257",
1935
+ "GO-2024-2948",
1936
+ "GHSA-xfhp-jf8p-mh5w"
1937
+ ],
1938
+ "fullDescription": {
1939
+ "markdown": "A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.",
1940
+ "text": "A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution."
1941
+ },
1942
+ "help": {
1943
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-6257](https://osv.dev/CVE-2024-6257)**\n(Also published as: [GO-2024-2948](https://osv.dev/GO-2024-2948), [GHSA-xfhp-jf8p-mh5w](https://osv.dev/GHSA-xfhp-jf8p-mh5w), ).\n\n## [GO-2024-2948](https://osv.dev/GO-2024-2948)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.\n\n\u003c/details\u003e\n\n## [GHSA-xfhp-jf8p-mh5w](https://osv.dev/GHSA-xfhp-jf8p-mh5w)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .\n\u003e \n\u003e An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/hashicorp/go-getter | 1.7.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xfhp-jf8p-mh5w | github.com/hashicorp/go-getter | 1.7.5 |\n| GO-2024-2948 | github.com/hashicorp/go-getter | 1.7.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6257\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1944
+ "text": "**Your dependency is vulnerable to [CVE-2024-6257](https://osv.dev/CVE-2024-6257)**\n(Also published as: [GO-2024-2948](https://osv.dev/GO-2024-2948), [GHSA-xfhp-jf8p-mh5w](https://osv.dev/GHSA-xfhp-jf8p-mh5w), ).\n\n## [GO-2024-2948](https://osv.dev/GO-2024-2948)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.\n\n\u003c/details\u003e\n\n## [GHSA-xfhp-jf8p-mh5w](https://osv.dev/GHSA-xfhp-jf8p-mh5w)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .\n\u003e \n\u003e An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/hashicorp/go-getter | 1.7.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-xfhp-jf8p-mh5w | github.com/hashicorp/go-getter | 1.7.5 |\n| GO-2024-2948 | github.com/hashicorp/go-getter | 1.7.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-6257\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1945
+ },
1946
+ "id": "CVE-2024-6257",
1947
+ "name": "CVE-2024-6257",
1948
+ "properties": {
1949
+ "security-severity": "8.4"
1950
+ },
1951
+ "relationships": [],
1952
+ "shortDescription": {
1953
+ "markdown": "CVE-2024-6257: Code Execution on Git update in github.com/hashicorp/go-getter",
1954
+ "text": "CVE-2024-6257: Code Execution on Git update in github.com/hashicorp/go-getter"
1955
+ }
1956
+ },
1957
+ {
1958
+ "deprecatedIds": [
1959
+ "CVE-2020-8912",
1960
+ "GO-2022-0635",
1961
+ "GHSA-7f33-f4f5-xwgw"
1962
+ ],
1963
+ "fullDescription": {
1964
+ "markdown": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
1965
+ "text": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files."
1966
+ },
1967
+ "help": {
1968
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-8912](https://osv.dev/CVE-2020-8912)**.\n\n## [GO-2022-0635](https://osv.dev/GO-2022-0635)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/aws/aws-sdk-go | 1.44.122 |\n| artifact:/usr/local/bin/terraform | github.com/aws/aws-sdk-go | 1.44.122 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8912\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8912\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1969
+ "text": "**Your dependency is vulnerable to [CVE-2020-8912](https://osv.dev/CVE-2020-8912)**.\n\n## [GO-2022-0635](https://osv.dev/GO-2022-0635)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/aws/aws-sdk-go | 1.44.122 |\n| artifact:/usr/local/bin/terraform | github.com/aws/aws-sdk-go | 1.44.122 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8912\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8912\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1970
+ },
1971
+ "id": "CVE-2020-8912",
1972
+ "name": "CVE-2020-8912",
1973
+ "relationships": [],
1974
+ "shortDescription": {
1975
+ "markdown": "CVE-2020-8912: In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go",
1976
+ "text": "CVE-2020-8912: In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go"
1977
+ }
1978
+ },
1979
+ {
1980
+ "deprecatedIds": [
1981
+ "CVE-2020-8911",
1982
+ "GO-2022-0646",
1983
+ "GHSA-f5pg-7wfw-84q9"
1984
+ ],
1985
+ "fullDescription": {
1986
+ "markdown": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
1987
+ "text": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files."
1988
+ },
1989
+ "help": {
1990
+ "markdown": "**Your dependency is vulnerable to [CVE-2020-8911](https://osv.dev/CVE-2020-8911)**.\n\n## [GO-2022-0646](https://osv.dev/GO-2022-0646)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/aws/aws-sdk-go | 1.44.122 |\n| artifact:/usr/local/bin/terraform | github.com/aws/aws-sdk-go | 1.44.122 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8911\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8911\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
1991
+ "text": "**Your dependency is vulnerable to [CVE-2020-8911](https://osv.dev/CVE-2020-8911)**.\n\n## [GO-2022-0646](https://osv.dev/GO-2022-0646)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | github.com/aws/aws-sdk-go | 1.44.122 |\n| artifact:/usr/local/bin/terraform | github.com/aws/aws-sdk-go | 1.44.122 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8911\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2020-8911\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
1992
+ },
1993
+ "id": "CVE-2020-8911",
1994
+ "name": "CVE-2020-8911",
1995
+ "relationships": [],
1996
+ "shortDescription": {
1997
+ "markdown": "CVE-2020-8911: CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go",
1998
+ "text": "CVE-2020-8911: CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go"
1999
+ }
2000
+ },
2001
+ {
2002
+ "deprecatedIds": [
2003
+ "CVE-2024-34155",
2004
+ "BIT-golang-2024-34155",
2005
+ "GO-2024-3105"
2006
+ ],
2007
+ "fullDescription": {
2008
+ "markdown": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.",
2009
+ "text": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
2010
+ },
2011
+ "help": {
2012
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-34155](https://osv.dev/CVE-2024-34155)**.\n\n## [GO-2024-3105](https://osv.dev/GO-2024-3105)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3105 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34155\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2013
+ "text": "**Your dependency is vulnerable to [CVE-2024-34155](https://osv.dev/CVE-2024-34155)**.\n\n## [GO-2024-3105](https://osv.dev/GO-2024-3105)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3105 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34155\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2014
+ },
2015
+ "id": "CVE-2024-34155",
2016
+ "name": "CVE-2024-34155",
2017
+ "relationships": [],
2018
+ "shortDescription": {
2019
+ "markdown": "CVE-2024-34155: Stack exhaustion in all Parse functions in go/parser",
2020
+ "text": "CVE-2024-34155: Stack exhaustion in all Parse functions in go/parser"
2021
+ }
2022
+ },
2023
+ {
2024
+ "deprecatedIds": [
2025
+ "CVE-2024-34156",
2026
+ "BIT-golang-2024-34156",
2027
+ "GO-2024-3106"
2028
+ ],
2029
+ "fullDescription": {
2030
+ "markdown": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
2031
+ "text": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
2032
+ },
2033
+ "help": {
2034
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-34156](https://osv.dev/CVE-2024-34156)**.\n\n## [GO-2024-3106](https://osv.dev/GO-2024-3106)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3106 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34156\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2035
+ "text": "**Your dependency is vulnerable to [CVE-2024-34156](https://osv.dev/CVE-2024-34156)**.\n\n## [GO-2024-3106](https://osv.dev/GO-2024-3106)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3106 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34156\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2036
+ },
2037
+ "id": "CVE-2024-34156",
2038
+ "name": "CVE-2024-34156",
2039
+ "relationships": [],
2040
+ "shortDescription": {
2041
+ "markdown": "CVE-2024-34156: Stack exhaustion in Decoder.Decode in encoding/gob",
2042
+ "text": "CVE-2024-34156: Stack exhaustion in Decoder.Decode in encoding/gob"
2043
+ }
2044
+ },
2045
+ {
2046
+ "deprecatedIds": [
2047
+ "CVE-2024-34158",
2048
+ "BIT-golang-2024-34158",
2049
+ "GO-2024-3107"
2050
+ ],
2051
+ "fullDescription": {
2052
+ "markdown": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.",
2053
+ "text": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
2054
+ },
2055
+ "help": {
2056
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-34158](https://osv.dev/CVE-2024-34158)**.\n\n## [GO-2024-3107](https://osv.dev/GO-2024-3107)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3107 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34158\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2057
+ "text": "**Your dependency is vulnerable to [CVE-2024-34158](https://osv.dev/CVE-2024-34158)**.\n\n## [GO-2024-3107](https://osv.dev/GO-2024-3107)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3107 | stdlib | 1.22.7, 1.23.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-34158\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2058
+ },
2059
+ "id": "CVE-2024-34158",
2060
+ "name": "CVE-2024-34158",
2061
+ "relationships": [],
2062
+ "shortDescription": {
2063
+ "markdown": "CVE-2024-34158: Stack exhaustion in Parse in go/build/constraint",
2064
+ "text": "CVE-2024-34158: Stack exhaustion in Parse in go/build/constraint"
2065
+ }
2066
+ },
2067
+ {
2068
+ "deprecatedIds": [
2069
+ "CVE-2024-45338",
2070
+ "GO-2024-3333",
2071
+ "GHSA-w32m-9786-jp63"
2072
+ ],
2073
+ "fullDescription": {
2074
+ "markdown": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
2075
+ "text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
2076
+ },
2077
+ "help": {
2078
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-45338](https://osv.dev/CVE-2024-45338)**.\n\n## [GO-2024-3333](https://osv.dev/GO-2024-3333)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3333 | golang.org/x/net | 0.33.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45338\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2079
+ "text": "**Your dependency is vulnerable to [CVE-2024-45338](https://osv.dev/CVE-2024-45338)**.\n\n## [GO-2024-3333](https://osv.dev/GO-2024-3333)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | golang.org/x/net | 0.25.0 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2024-3333 | golang.org/x/net | 0.33.0 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45338\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2080
+ },
2081
+ "id": "CVE-2024-45338",
2082
+ "name": "CVE-2024-45338",
2083
+ "relationships": [],
2084
+ "shortDescription": {
2085
+ "markdown": "CVE-2024-45338: Non-linear parsing of case-insensitive content in golang.org/x/net/html",
2086
+ "text": "CVE-2024-45338: Non-linear parsing of case-insensitive content in golang.org/x/net/html"
2087
+ }
2088
+ },
2089
+ {
2090
+ "deprecatedIds": [
2091
+ "CVE-2024-45341",
2092
+ "BIT-golang-2024-45341",
2093
+ "GO-2025-3373"
2094
+ ],
2095
+ "fullDescription": {
2096
+ "markdown": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\nCertificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.",
2097
+ "text": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\nCertificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs."
2098
+ },
2099
+ "help": {
2100
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-45341](https://osv.dev/CVE-2024-45341)**.\n\n## [GO-2025-3373](https://osv.dev/GO-2025-3373)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\u003e \n\u003e Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3373 | stdlib | 1.22.11, 1.23.5, 1.24.0-rc.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45341\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45341\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2101
+ "text": "**Your dependency is vulnerable to [CVE-2024-45341](https://osv.dev/CVE-2024-45341)**.\n\n## [GO-2025-3373](https://osv.dev/GO-2025-3373)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.\n\u003e \n\u003e Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3373 | stdlib | 1.22.11, 1.23.5, 1.24.0-rc.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45341\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45341\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2102
+ },
2103
+ "id": "CVE-2024-45341",
2104
+ "name": "CVE-2024-45341",
2105
+ "relationships": [],
2106
+ "shortDescription": {
2107
+ "markdown": "CVE-2024-45341: Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509",
2108
+ "text": "CVE-2024-45341: Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509"
2109
+ }
2110
+ },
2111
+ {
2112
+ "deprecatedIds": [
2113
+ "CVE-2024-45336",
2114
+ "BIT-golang-2024-45336",
2115
+ "GO-2025-3420"
2116
+ ],
2117
+ "fullDescription": {
2118
+ "markdown": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.",
2119
+ "text": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\nIn the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2."
2120
+ },
2121
+ "help": {
2122
+ "markdown": "**Your dependency is vulnerable to [CVE-2024-45336](https://osv.dev/CVE-2024-45336)**.\n\n## [GO-2025-3420](https://osv.dev/GO-2025-3420)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\u003e \n\u003e In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3420 | stdlib | 1.22.11, 1.23.5, 1.24.0-rc.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45336\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45336\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2123
+ "text": "**Your dependency is vulnerable to [CVE-2024-45336](https://osv.dev/CVE-2024-45336)**.\n\n## [GO-2025-3420](https://osv.dev/GO-2025-3420)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.\n\u003e \n\u003e In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3420 | stdlib | 1.22.11, 1.23.5, 1.24.0-rc.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45336\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-45336\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2124
+ },
2125
+ "id": "CVE-2024-45336",
2126
+ "name": "CVE-2024-45336",
2127
+ "relationships": [],
2128
+ "shortDescription": {
2129
+ "markdown": "CVE-2024-45336: Sensitive headers incorrectly sent after cross-domain redirect in net/http",
2130
+ "text": "CVE-2024-45336: Sensitive headers incorrectly sent after cross-domain redirect in net/http"
2131
+ }
2132
+ },
2133
+ {
2134
+ "deprecatedIds": [
2135
+ "CVE-2025-22866",
2136
+ "BIT-golang-2025-22866",
2137
+ "GO-2025-3447"
2138
+ ],
2139
+ "fullDescription": {
2140
+ "markdown": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.",
2141
+ "text": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols."
2142
+ },
2143
+ "help": {
2144
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22866](https://osv.dev/CVE-2025-22866)**.\n\n## [GO-2025-3447](https://osv.dev/GO-2025-3447)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3447 | stdlib | 1.22.12, 1.23.6, 1.24.0-rc.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2145
+ "text": "**Your dependency is vulnerable to [CVE-2025-22866](https://osv.dev/CVE-2025-22866)**.\n\n## [GO-2025-3447](https://osv.dev/GO-2025-3447)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3447 | stdlib | 1.22.12, 1.23.6, 1.24.0-rc.3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22866\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2146
+ },
2147
+ "id": "CVE-2025-22866",
2148
+ "name": "CVE-2025-22866",
2149
+ "relationships": [],
2150
+ "shortDescription": {
2151
+ "markdown": "CVE-2025-22866: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec",
2152
+ "text": "CVE-2025-22866: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec"
2153
+ }
2154
+ },
2155
+ {
2156
+ "deprecatedIds": [
2157
+ "CVE-2025-22871",
2158
+ "BIT-golang-2025-22871",
2159
+ "GO-2025-3563"
2160
+ ],
2161
+ "fullDescription": {
2162
+ "markdown": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
2163
+ "text": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."
2164
+ },
2165
+ "help": {
2166
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22871](https://osv.dev/CVE-2025-22871)**.\n\n## [GO-2025-3563](https://osv.dev/GO-2025-3563)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3563 | stdlib | 1.23.8, 1.24.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22871\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22871\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2167
+ "text": "**Your dependency is vulnerable to [CVE-2025-22871](https://osv.dev/CVE-2025-22871)**.\n\n## [GO-2025-3563](https://osv.dev/GO-2025-3563)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3563 | stdlib | 1.23.8, 1.24.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22871\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22871\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2168
+ },
2169
+ "id": "CVE-2025-22871",
2170
+ "name": "CVE-2025-22871",
2171
+ "relationships": [],
2172
+ "shortDescription": {
2173
+ "markdown": "CVE-2025-22871: Request smuggling due to acceptance of invalid chunked data in net/http",
2174
+ "text": "CVE-2025-22871: Request smuggling due to acceptance of invalid chunked data in net/http"
2175
+ }
2176
+ },
2177
+ {
2178
+ "deprecatedIds": [
2179
+ "CVE-2025-22874",
2180
+ "BIT-golang-2025-22874",
2181
+ "GO-2025-3749"
2182
+ ],
2183
+ "fullDescription": {
2184
+ "markdown": "Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.",
2185
+ "text": "Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon."
2186
+ },
2187
+ "help": {
2188
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-22874](https://osv.dev/CVE-2025-22874)**.\n\n## [GO-2025-3749](https://osv.dev/GO-2025-3749)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3749 | stdlib | 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22874\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2189
+ "text": "**Your dependency is vulnerable to [CVE-2025-22874](https://osv.dev/CVE-2025-22874)**.\n\n## [GO-2025-3749](https://osv.dev/GO-2025-3749)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3749 | stdlib | 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-22874\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2190
+ },
2191
+ "id": "CVE-2025-22874",
2192
+ "name": "CVE-2025-22874",
2193
+ "relationships": [],
2194
+ "shortDescription": {
2195
+ "markdown": "CVE-2025-22874: Usage of ExtKeyUsageAny disables policy validation in crypto/x509",
2196
+ "text": "CVE-2025-22874: Usage of ExtKeyUsageAny disables policy validation in crypto/x509"
2197
+ }
2198
+ },
2199
+ {
2200
+ "deprecatedIds": [
2201
+ "CVE-2025-0913",
2202
+ "BIT-golang-2025-0913",
2203
+ "GO-2025-3750"
2204
+ ],
2205
+ "fullDescription": {
2206
+ "markdown": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.",
2207
+ "text": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink."
2208
+ },
2209
+ "help": {
2210
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-0913](https://osv.dev/CVE-2025-0913)**.\n\n## [GO-2025-3750](https://osv.dev/GO-2025-3750)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3750 | stdlib | 1.23.10, 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-0913\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-0913\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2211
+ "text": "**Your dependency is vulnerable to [CVE-2025-0913](https://osv.dev/CVE-2025-0913)**.\n\n## [GO-2025-3750](https://osv.dev/GO-2025-3750)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3750 | stdlib | 1.23.10, 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-0913\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-0913\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2212
+ },
2213
+ "id": "CVE-2025-0913",
2214
+ "name": "CVE-2025-0913",
2215
+ "relationships": [],
2216
+ "shortDescription": {
2217
+ "markdown": "CVE-2025-0913: Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall",
2218
+ "text": "CVE-2025-0913: Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall"
2219
+ }
2220
+ },
2221
+ {
2222
+ "deprecatedIds": [
2223
+ "CVE-2025-4673",
2224
+ "BIT-golang-2025-4673",
2225
+ "GO-2025-3751"
2226
+ ],
2227
+ "fullDescription": {
2228
+ "markdown": "Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.",
2229
+ "text": "Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information."
2230
+ },
2231
+ "help": {
2232
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-4673](https://osv.dev/CVE-2025-4673)**.\n\n## [GO-2025-3751](https://osv.dev/GO-2025-3751)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3751 | stdlib | 1.23.10, 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-4673\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-4673\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2233
+ "text": "**Your dependency is vulnerable to [CVE-2025-4673](https://osv.dev/CVE-2025-4673)**.\n\n## [GO-2025-3751](https://osv.dev/GO-2025-3751)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3751 | stdlib | 1.23.10, 1.24.4 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-4673\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-4673\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2234
+ },
2235
+ "id": "CVE-2025-4673",
2236
+ "name": "CVE-2025-4673",
2237
+ "relationships": [],
2238
+ "shortDescription": {
2239
+ "markdown": "CVE-2025-4673: Sensitive headers not cleared on cross-origin redirect in net/http",
2240
+ "text": "CVE-2025-4673: Sensitive headers not cleared on cross-origin redirect in net/http"
2241
+ }
2242
+ },
2243
+ {
2244
+ "deprecatedIds": [
2245
+ "CVE-2025-47907",
2246
+ "GO-2025-3849"
2247
+ ],
2248
+ "fullDescription": {
2249
+ "markdown": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.",
2250
+ "text": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
2251
+ },
2252
+ "help": {
2253
+ "markdown": "**Your dependency is vulnerable to [CVE-2025-47907](https://osv.dev/CVE-2025-47907)**.\n\n## [GO-2025-3849](https://osv.dev/GO-2025-3849)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3849 | stdlib | 1.23.12, 1.24.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-47907\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-47907\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
2254
+ "text": "**Your dependency is vulnerable to [CVE-2025-47907](https://osv.dev/CVE-2025-47907)**.\n\n## [GO-2025-3849](https://osv.dev/GO-2025-3849)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| artifact:/usr/bin/tflint | stdlib | 1.22.5 |\n| artifact:/usr/local/bin/actionlint | stdlib | 1.23.4 |\n| artifact:/usr/local/bin/terraform | stdlib | 1.24.2 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2025-3849 | stdlib | 1.23.12, 1.24.6 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/usr/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-47907\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/usr/local/bin/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2025-47907\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
2255
+ },
2256
+ "id": "CVE-2025-47907",
2257
+ "name": "CVE-2025-47907",
2258
+ "relationships": [],
2259
+ "shortDescription": {
2260
+ "markdown": "CVE-2025-47907: Incorrect results returned from Rows.Scan in database/sql",
2261
+ "text": "CVE-2025-47907: Incorrect results returned from Rows.Scan in database/sql"
2262
+ }
2263
+ }
2264
+ ],
2265
+ "supportedTaxonomies": [],
2266
+ "taxa": [],
2267
+ "version": "2.2.0"
2268
+ },
2269
+ "extensions": []
2270
+ },
2271
+ "translations": [],
2272
+ "versionControlProvenance": [],
2273
+ "webRequests": [],
2274
+ "webResponses": []
2275
+ }
2276
+ ],
2277
+ "properties": {}
2278
+ }