core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon datarhei

govulncheck finds called vulnerabilities

Open nathanlaceyraft opened this issue 7 months ago • 0 comments

govulncheck ./...

=== Symbol Results ===

Vulnerability https://github.com/datarhei/core/pull/1: GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2025-3595 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected]

Vulnerability #2: GO-2025-3553 Excessive memory allocation during header parsing in github.com/golang-jwt/jwt More info: https://pkg.go.dev/vuln/GO-2025-3553 Module: github.com/golang-jwt/jwt Found in: github.com/golang-jwt/[email protected]+incompatible Fixed in: N/A Example traces found: https://github.com/datarhei/core/pull/1: http/middleware/session/HLS.go:20:2: session.init calls middleware.init, which calls jwt.init

Module: github.com/golang-jwt/jwt/v4 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: https://github.com/datarhei/core/pull/1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.Parser.ParseUnverified

Module: github.com/golang-jwt/jwt/v5 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: https://github.com/datarhei/core/pull/1: http/jwt/validator.go:114:36: jwt.auth0Validator.Validate calls jwt.Parser.ParseUnverified

Vulnerability https://github.com/datarhei/core/pull/3: GO-2024-3250 Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt More info: https://pkg.go.dev/vuln/GO-2024-3250 Module: github.com/golang-jwt/jwt/v4 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: https://github.com/datarhei/core/pull/1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.ParseWithClaims

Vulnerability #4: GO-2024-2920 Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser More info: https://pkg.go.dev/vuln/GO-2024-2920 Module: github.com/vektah/gqlparser/v2 Found in: github.com/vektah/gqlparser/[email protected] Fixed in: github.com/vektah/gqlparser/[email protected] Example traces found: https://github.com/datarhei/core/pull/1: http/handler/api/graph.go:46:26: api.GraphHandler.Query calls handler.Server.ServeHTTP, which eventually calls parser.ParseQuery #2: http/graph/graph/graph.go:1832:44: graph.init calls gqlparser.MustLoadSchema, which eventually calls parser.ParseSchemas

You can resolve the CVE's by updating libraries

go get github.com/golang-jwt/jwt/v4

go get github.com/vektah/gqlparser/v2

go get golang.org/x/net

go get github.com/labstack/echo-jwt

go get github.com/golang-jwt/jwt/v5

go get github.com/labstack/echo/v4

I've done the work within https://github.com/datarhei/core/pull/29

nathanlaceyraft avatar Jun 04 '25 11:06 nathanlaceyraft