data/reports: add 12 reports

  - data/reports/GO-2025-3657.yaml
  - data/reports/GO-2025-3670.yaml
  - data/reports/GO-2025-3671.yaml
  - data/reports/GO-2025-3672.yaml
  - data/reports/GO-2025-3678.yaml
  - data/reports/GO-2025-3679.yaml
  - data/reports/GO-2025-3680.yaml
  - data/reports/GO-2025-3682.yaml
  - data/reports/GO-2025-3684.yaml
  - data/reports/GO-2025-3686.yaml
  - data/reports/GO-2025-3687.yaml
  - data/reports/GO-2025-3688.yaml

Fixes #3657
Fixes #3670
Fixes #3671
Fixes #3672
Fixes #3678
Fixes #3679
Fixes #3680
Fixes #3682
Fixes #3684
Fixes #3686
Fixes #3687
Fixes #3688

Change-Id: Ic1e450f615e770e3e2e5bd1112a7f18cda8aa189
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/673317
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: thatnealpatel

data/osv/GO-2025-3657.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3657",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-46331",
+    "GHSA-w222-m46c-mgh6"
+  ],
+  "summary": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+  "details": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openfga/openfga",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.3.6"
+            },
+            {
+              "fixed": "1.8.11"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-w222-m46c-mgh6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46331"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openfga/openfga/commit/244302e7a8b979d66cc1874a3899cdff7d47862f"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3657",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3670.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3670",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-46735",
+    "GHSA-4vgf-2cm4-mp7c"
+  ],
+  "summary": "Terraform WinDNS Provider improperly sanitizes input variables in `windns_record` in github.com/nrkno/terraform-provider-windns",
+  "details": "Terraform WinDNS Provider improperly sanitizes input variables in `windns_record` in github.com/nrkno/terraform-provider-windns",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/nrkno/terraform-provider-windns",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/nrkno/terraform-provider-windns/security/advisories/GHSA-4vgf-2cm4-mp7c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46735"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/nrkno/terraform-provider-windns/commit/c76f69610c1b502f90aaed8c4f102194530b5bce"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3670",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3671.json

@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3671",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-46815",
+    "GHSA-g4r8-mp7g-85fq"
+  ],
+  "summary": "ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel",
+  "details": "ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.70.10, from v2.71.0 before v2.71.9, from v3.0.0-rc.1 before v3.0.0.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/zitadel/zitadel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.70.10"
+              },
+              {
+                "introduced": "2.71.0"
+              },
+              {
+                "fixed": "2.71.9"
+              },
+              {
+                "introduced": "3.0.0-rc.1"
+              },
+              {
+                "fixed": "3.0.0"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46815"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3671",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3672.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3672",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-46816",
+    "GHSA-rwj2-w85g-5cmm"
+  ],
+  "summary": "goshs route not protected, allows command execution in github.com/patrickhener/goshs",
+  "details": "goshs route not protected, allows command execution in github.com/patrickhener/goshs",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/patrickhener/goshs",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.3.4"
+            },
+            {
+              "fixed": "1.0.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46816"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3672",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3678.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3678",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-4432"
+  ],
+  "summary": "Ring: some aes functions may panic when overflow checking is enabled in ring in github.com/briansmith/ring",
+  "details": "Ring: some aes functions may panic when overflow checking is enabled in ring in github.com/briansmith/ring",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/briansmith/ring",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4432"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/briansmith/ring/pull/2447"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2350655"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-4432"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/briansmith/ring"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0009.html"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3678",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3679.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3679",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-3757",
+    "GHSA-537f-gxgm-3jjq"
+  ],
+  "summary": "OpenPubkey Vulnerable to Authentication Bypass in github.com/openpubkey/openpubkey",
+  "details": "OpenPubkey Vulnerable to Authentication Bypass in github.com/openpubkey/openpubkey",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openpubkey/openpubkey",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.10.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3757"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3679",
+    "review_status": "UNREVIEWED"
+  }
+}