Fluid Attacks Database

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| >=0 <1.25.2-1	1.25.2-1
go	stdlib	>=0 <1.24.8	1.24.8
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
rpm rhel10	image-builder	-	-
rpm rhel10	go-fdo-server	-	-
rpm rhel8	runc	-	-

1-10 of 63

Aliases

1. CVE-2025-581892. NVD-2025-581893. OSV-DEBIAN-2025-581894. OSV-2025-581895. OSV-GO-2025-40086. GCVE-2025-581897. SECURITY-TRACKER-CVE-2025-58189

References

1. https://go.dev/cl/7077762. https://go.dev/issue/756523. https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.