govulncheck finds called vulnerabilities #30
Description
govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-3595
Incorrect Neutralization of Input During Web Page Generation in x/net in
golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2025-3595
Module: golang.org/x/net
Found in: golang.org/x/net@v0.25.0
Fixed in: golang.org/x/net@v0.38.0
Vulnerability #2: GO-2025-3553
Excessive memory allocation during header parsing in
github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2025-3553
Module: github.com/golang-jwt/jwt
Found in: github.com/golang-jwt/jwt@v3.2.2+incompatible
Fixed in: N/A
Example traces found:
#1: http/middleware/session/HLS.go:20:2: session.init calls middleware.init, which calls jwt.init
Module: github.com/golang-jwt/jwt/v4
Found in: github.com/golang-jwt/jwt/v4@v4.5.0
Fixed in: github.com/golang-jwt/jwt/v4@v4.5.2
Example traces found:
#1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.Parser.ParseUnverified
Module: github.com/golang-jwt/jwt/v5
Found in: github.com/golang-jwt/jwt/v5@v5.2.1
Fixed in: github.com/golang-jwt/jwt/v5@v5.2.2
Example traces found:
#1: http/jwt/validator.go:114:36: jwt.auth0Validator.Validate calls jwt.Parser.ParseUnverified
Vulnerability #3: GO-2024-3250
Improper error handling in ParseWithClaims and bad documentation may cause
dangerous situations in github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2024-3250
Module: github.com/golang-jwt/jwt/v4
Found in: github.com/golang-jwt/jwt/v4@v4.5.0
Fixed in: github.com/golang-jwt/jwt/v4@v4.5.1
Example traces found:
#1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.ParseWithClaims
Vulnerability #4: GO-2024-2920
Denial of service vulnerability via the parseDirectives function in
github.com/vektah/gqlparser
More info: https://pkg.go.dev/vuln/GO-2024-2920
Module: github.com/vektah/gqlparser/v2
Found in: github.com/vektah/gqlparser/v2@v2.5.12
Fixed in: github.com/vektah/gqlparser/v2@v2.5.14
Example traces found:
#1: http/handler/api/graph.go:46:26: api.GraphHandler.Query calls handler.Server.ServeHTTP, which eventually calls parser.ParseQuery
#2: http/graph/graph/graph.go:1832:44: graph.init calls gqlparser.MustLoadSchema, which eventually calls parser.ParseSchemas
You can resolve the CVE's by updating libraries
go get github.com/golang-jwt/jwt/v4
go get github.com/vektah/gqlparser/v2
go get golang.org/x/net
go get github.com/labstack/echo-jwt
go get github.com/golang-jwt/jwt/v5
go get github.com/labstack/echo/v4
I've done the work within #29