data/reports: add 3 reports
- data/reports/GO-2025-3533.yaml
- data/reports/GO-2025-3540.yaml
- data/reports/GO-2025-3553.yaml
Fixes golang/vulndb#3533
Fixes golang/vulndb#3540
Fixes golang/vulndb#3553
Change-Id: I0c24a93941b97414ae721cd9529d15ea9bf3abf4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/660655
Auto-Submit: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2025-3533.json b/data/osv/GO-2025-3533.json
new file mode 100644
index 0000000..d3b5d6b
--- /dev/null
+++ b/data/osv/GO-2025-3533.json
@@ -0,0 +1,84 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3533",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-30153",
+ "GHSA-wq9g-9vfc-cfq9"
+ ],
+ "summary": "Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter",
+ "details": "Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/getkin/kin-openapi",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.131.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/getkin/kin-openapi/openapi3filter",
+ "symbols": [
+ "ValidateParameter",
+ "ValidateRequest",
+ "ValidateRequestBody",
+ "ValidateResponse",
+ "ValidationHandler.ServeHTTP",
+ "csvBodyDecoder",
+ "joinValues",
+ "multipartBodyDecoder",
+ "plainBodyDecoder",
+ "urlencodedBodyDecoder",
+ "yamlBodyDecoder",
+ "zipFileBodyDecoder"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/getkin/kin-openapi/pull/1059"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3533",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3540.json b/data/osv/GO-2025-3540.json
new file mode 100644
index 0000000..e63335e
--- /dev/null
+++ b/data/osv/GO-2025-3540.json
@@ -0,0 +1,261 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3540",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-29923",
+ "GHSA-92cp-5422-2mw7"
+ ],
+ "summary": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis",
+ "details": "Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/redis/go-redis",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "9.6.0b1"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "9.6.0b1"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/redis/go-redis/v9",
+ "symbols": [
+ "baseClient.initConn",
+ "redis.ClusterOptions",
+ "redis.FailoverOptions",
+ "redis.RingOptions",
+ "redis.UniversalOptions"
+ ]
+ }
+ ],
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "9.6.0b1"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis/v7",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis/v9",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.5.1"
+ },
+ {
+ "fixed": "9.5.5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/redis/go-redis/v9",
+ "symbols": [
+ "baseClient.initConn",
+ "redis.ClusterOptions",
+ "redis.FailoverOptions",
+ "redis.RingOptions",
+ "redis.UniversalOptions"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis/v9",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9.6.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/redis/go-redis/v9",
+ "symbols": [
+ "baseClient.initConn",
+ "redis.ClusterOptions",
+ "redis.FailoverOptions",
+ "redis.RingOptions",
+ "redis.UniversalOptions"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/redis/go-redis/v9",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.7.0-beta.1"
+ },
+ {
+ "fixed": "9.7.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/redis/go-redis/v9",
+ "symbols": [
+ "baseClient.initConn",
+ "redis.ClusterOptions",
+ "redis.FailoverOptions",
+ "redis.RingOptions",
+ "redis.UniversalOptions"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/redis/go-redis/pull/3295"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3540",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3553.json b/data/osv/GO-2025-3553.json
new file mode 100644
index 0000000..502b69e
--- /dev/null
+++ b/data/osv/GO-2025-3553.json
@@ -0,0 +1,103 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3553",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-30204",
+ "GHSA-mh63-6h87-95cp"
+ ],
+ "summary": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt",
+ "details": "Excessive memory allocation during header parsing in github.com/golang-jwt/jwt",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/golang-jwt/jwt",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/golang-jwt/jwt/v4",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "4.5.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/golang-jwt/jwt/v4",
+ "symbols": [
+ "ParseUnverified"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/golang-jwt/jwt/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "5.0.0-rc.1"
+ },
+ {
+ "fixed": "5.2.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/golang-jwt/jwt/v5",
+ "symbols": [
+ "ParseUnverified"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3553",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3533.yaml b/data/reports/GO-2025-3533.yaml
new file mode 100644
index 0000000..c8c33a9
--- /dev/null
+++ b/data/reports/GO-2025-3533.yaml
@@ -0,0 +1,40 @@
+id: GO-2025-3533
+modules:
+ - module: github.com/getkin/kin-openapi
+ versions:
+ - fixed: 0.131.0
+ vulnerable_at: 0.130.0
+ packages:
+ - package: github.com/getkin/kin-openapi/openapi3filter
+ symbols:
+ - plainBodyDecoder
+ - yamlBodyDecoder
+ - urlencodedBodyDecoder
+ - multipartBodyDecoder
+ - zipFileBodyDecoder
+ - csvBodyDecoder
+ - joinValues
+ derived_symbols:
+ - ValidateParameter
+ - ValidateRequest
+ - ValidateRequestBody
+ - ValidateResponse
+ - ValidationHandler.ServeHTTP
+summary: |-
+ Improper Handling of Highly Compressed Data (Data Amplification) in
+ github.com/getkin/kin-openapi/openapi3filter
+cves:
+ - CVE-2025-30153
+ghsas:
+ - GHSA-wq9g-9vfc-cfq9
+references:
+ - advisory: https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9
+ - fix: https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1
+ - fix: https://github.com/getkin/kin-openapi/pull/1059
+ - web: https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275
+ - web: https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523
+ - web: https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse
+source:
+ id: GHSA-wq9g-9vfc-cfq9
+ created: 2025-03-25T12:09:20.279707-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3540.yaml b/data/reports/GO-2025-3540.yaml
new file mode 100644
index 0000000..ec8ed57
--- /dev/null
+++ b/data/reports/GO-2025-3540.yaml
@@ -0,0 +1,82 @@
+id: GO-2025-3540
+modules:
+ - module: github.com/redis/go-redis
+ non_go_versions:
+ - introduced: 9.6.0b1
+ vulnerable_at: 6.15.9+incompatible
+ - module: github.com/redis/go-redis
+ non_go_versions:
+ - introduced: 9.6.0b1
+ vulnerable_at: 6.15.9+incompatible
+ - module: github.com/redis/go-redis
+ non_go_versions:
+ - introduced: 9.6.0b1
+ vulnerable_at: 6.15.9+incompatible
+ packages:
+ - package: github.com/redis/go-redis/v9
+ symbols:
+ - redis.ClusterOptions
+ - redis.RingOptions
+ - redis.FailoverOptions
+ - redis.UniversalOptions
+ - baseClient.initConn
+ - module: github.com/redis/go-redis/v7
+ vulnerable_at: 7.4.1
+ - module: github.com/redis/go-redis/v8
+ vulnerable_at: 8.11.5
+ - module: github.com/redis/go-redis/v9
+ versions:
+ - introduced: 9.5.1
+ - fixed: 9.5.5
+ vulnerable_at: 9.5.4
+ packages:
+ - package: github.com/redis/go-redis/v9
+ symbols:
+ - redis.ClusterOptions
+ - redis.RingOptions
+ - redis.FailoverOptions
+ - redis.UniversalOptions
+ - baseClient.initConn
+ - module: github.com/redis/go-redis/v9
+ versions:
+ - fixed: 9.6.3
+ vulnerable_at: 9.6.2
+ packages:
+ - package: github.com/redis/go-redis/v9
+ symbols:
+ - redis.ClusterOptions
+ - redis.RingOptions
+ - redis.FailoverOptions
+ - redis.UniversalOptions
+ - baseClient.initConn
+ - module: github.com/redis/go-redis/v9
+ versions:
+ - introduced: 9.7.0-beta.1
+ - fixed: 9.7.3
+ vulnerable_at: 9.7.2
+ packages:
+ - package: github.com/redis/go-redis/v9
+ symbols:
+ - redis.ClusterOptions
+ - redis.RingOptions
+ - redis.FailoverOptions
+ - redis.UniversalOptions
+ - baseClient.initConn
+summary: |-
+ Potential out of order responses when CLIENT SETINFO times out during connection
+ establishment in github.com/redis/go-redis
+cves:
+ - CVE-2025-29923
+ghsas:
+ - GHSA-92cp-5422-2mw7
+references:
+ - advisory: https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7
+ - fix: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
+ - fix: https://github.com/redis/go-redis/pull/3295
+notes:
+ - GHSA lists no patches for go-redis/v7, go-redis/v8
+ - fix: 'module merge error: could not merge versions of module github.com/redis/go-redis/v9: introduced and fixed versions must alternate'
+source:
+ id: GHSA-92cp-5422-2mw7
+ created: 2025-03-25T12:08:19.663307-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3553.yaml b/data/reports/GO-2025-3553.yaml
new file mode 100644
index 0000000..45e4398
--- /dev/null
+++ b/data/reports/GO-2025-3553.yaml
@@ -0,0 +1,33 @@
+id: GO-2025-3553
+modules:
+ - module: github.com/golang-jwt/jwt
+ vulnerable_at: 3.2.2+incompatible
+ - module: github.com/golang-jwt/jwt/v4
+ versions:
+ - fixed: 4.5.2
+ vulnerable_at: 4.5.1
+ packages:
+ - package: github.com/golang-jwt/jwt/v4
+ symbols:
+ - ParseUnverified
+ - module: github.com/golang-jwt/jwt/v5
+ versions:
+ - introduced: 5.0.0-rc.1
+ - fixed: 5.2.2
+ vulnerable_at: 5.2.1
+ packages:
+ - package: github.com/golang-jwt/jwt/v5
+ symbols:
+ - ParseUnverified
+summary: Excessive memory allocation during header parsing in github.com/golang-jwt/jwt
+cves:
+ - CVE-2025-30204
+ghsas:
+ - GHSA-mh63-6h87-95cp
+references:
+ - advisory: https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
+ - fix: https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
+source:
+ id: GHSA-mh63-6h87-95cp
+ created: 2025-03-25T12:07:15.109849-04:00
+review_status: REVIEWED