data/reports: add 3 REVIEWED reports
- data/reports/GO-2025-3892.yaml
- data/reports/GO-2025-3900.yaml
- data/reports/GO-2025-3912.yaml
Fixes golang/vulndb#3892
Fixes golang/vulndb#3900
Fixes golang/vulndb#3912
Change-Id: I058f7410a046de0c251243b04582b6f509f09c8b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/699495
Reviewed-by: Ethan Lee <ethanalee@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3892.json b/data/osv/GO-2025-3892.json
new file mode 100644
index 0000000..5270148
--- /dev/null
+++ b/data/osv/GO-2025-3892.json
@@ -0,0 +1,71 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3892",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-8959",
+ "GHSA-wjrx-6529-hcj3"
+ ],
+ "summary": "HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter",
+ "details": "HashiCorp go-getter Vulnerable to Symlink Attacks in github.com/hashicorp/go-getter",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/go-getter",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.7.9"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/hashicorp/go-getter",
+ "symbols": [
+ "Client.ChecksumFromFile",
+ "Client.Get",
+ "FolderStorage.Get",
+ "Get",
+ "GetAny",
+ "GetFile",
+ "GitGetter.Get",
+ "GitGetter.GetFile",
+ "GitGetter.fetchSubmodules",
+ "HttpGetter.Get",
+ "copyDir"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-wjrx-6529-hcj3"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b7"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3892",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3900.json b/data/osv/GO-2025-3900.json
new file mode 100644
index 0000000..30bc0fd
--- /dev/null
+++ b/data/osv/GO-2025-3900.json
@@ -0,0 +1,99 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3900",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-2464-8j7c-4cjm"
+ ],
+ "summary": "Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure",
+ "details": "Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/go-viper/mapstructure",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-viper/mapstructure/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/go-viper/mapstructure/v2",
+ "symbols": [
+ "Decoder.decodeBool",
+ "Decoder.decodeFloat",
+ "Decoder.decodeInt",
+ "Decoder.decodeUint",
+ "StringToBoolHookFunc",
+ "StringToComplex128HookFunc",
+ "StringToComplex64HookFunc",
+ "StringToFloat32HookFunc",
+ "StringToFloat64HookFunc",
+ "StringToIPHookFunc",
+ "StringToIPNetHookFunc",
+ "StringToInt16HookFunc",
+ "StringToInt32HookFunc",
+ "StringToInt64HookFunc",
+ "StringToInt8HookFunc",
+ "StringToIntHookFunc",
+ "StringToNetIPAddrHookFunc",
+ "StringToNetIPAddrPortHookFunc",
+ "StringToNetIPPrefixHookFunc",
+ "StringToTimeDurationHookFunc",
+ "StringToTimeHookFunc",
+ "StringToURLHookFunc",
+ "StringToUint16HookFunc",
+ "StringToUint32HookFunc",
+ "StringToUint64HookFunc",
+ "StringToUint8HookFunc",
+ "StringToUintHookFunc"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3900",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3912.json b/data/osv/GO-2025-3912.json
new file mode 100644
index 0000000..08d984f
--- /dev/null
+++ b/data/osv/GO-2025-3912.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3912",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-57801",
+ "GHSA-95v9-hv42-pwrj"
+ ],
+ "summary": "Gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks in github.com/consensys/gnark",
+ "details": "Gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks in github.com/consensys/gnark",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/consensys/gnark",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.14.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/consensys/gnark/std/signature/eddsa",
+ "symbols": [
+ "Verify"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3912",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3892.yaml b/data/reports/GO-2025-3892.yaml
new file mode 100644
index 0000000..8ef734a
--- /dev/null
+++ b/data/reports/GO-2025-3892.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3892
+modules:
+ - module: github.com/hashicorp/go-getter
+ versions:
+ - fixed: 1.7.9
+ vulnerable_at: 1.7.8
+ packages:
+ - package: github.com/hashicorp/go-getter
+ symbols:
+ - GitGetter.fetchSubmodules
+ - copyDir
+ derived_symbols:
+ - Client.ChecksumFromFile
+ - Client.Get
+ - FolderStorage.Get
+ - Get
+ - GetAny
+ - GetFile
+ - GitGetter.Get
+ - GitGetter.GetFile
+ - HttpGetter.Get
+summary: |-
+ HashiCorp go-getter Vulnerable to Symlink Attacks in
+ github.com/hashicorp/go-getter
+cves:
+ - CVE-2025-8959
+ghsas:
+ - GHSA-wjrx-6529-hcj3
+references:
+ - advisory: https://github.com/advisories/GHSA-wjrx-6529-hcj3
+ - fix: https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b7
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
+source:
+ id: GHSA-wjrx-6529-hcj3
+ created: 2025-08-27T18:27:46.95276137Z
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3900.yaml b/data/reports/GO-2025-3900.yaml
new file mode 100644
index 0000000..ecc5c9f
--- /dev/null
+++ b/data/reports/GO-2025-3900.yaml
@@ -0,0 +1,50 @@
+id: GO-2025-3900
+modules:
+ - module: github.com/go-viper/mapstructure
+ vulnerable_at: 1.6.0
+ - module: github.com/go-viper/mapstructure/v2
+ versions:
+ - fixed: 2.4.0
+ vulnerable_at: 2.3.0
+ packages:
+ - package: github.com/go-viper/mapstructure/v2
+ symbols:
+ - StringToIntHookFunc
+ - Decoder.decodeFloat
+ - StringToUintHookFunc
+ - Decoder.decodeInt
+ - StringToFloat32HookFunc
+ - StringToUint8HookFunc
+ - StringToInt32HookFunc
+ - StringToIPNetHookFunc
+ - StringToUint32HookFunc
+ - StringToInt8HookFunc
+ - StringToIPHookFunc
+ - StringToBoolHookFunc
+ - StringToTimeHookFunc
+ - StringToURLHookFunc
+ - StringToComplex128HookFunc
+ - StringToNetIPPrefixHookFunc
+ - StringToNetIPAddrPortHookFunc
+ - StringToTimeDurationHookFunc
+ - StringToInt16HookFunc
+ - Decoder.decodeUint
+ - StringToUint16HookFunc
+ - StringToNetIPAddrHookFunc
+ - StringToUint64HookFunc
+ - Decoder.decodeBool
+ - StringToInt64HookFunc
+ - StringToComplex64HookFunc
+ - StringToFloat64HookFunc
+summary: |-
+ Go-viper's mapstructure May Leak Sensitive Information in Logs in
+ github.com/go-viper/mapstructure
+ghsas:
+ - GHSA-2464-8j7c-4cjm
+references:
+ - advisory: https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
+ - fix: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
+source:
+ id: GHSA-2464-8j7c-4cjm
+ created: 2025-08-27T18:27:18.386407146Z
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3912.yaml b/data/reports/GO-2025-3912.yaml
new file mode 100644
index 0000000..f6dc0c3
--- /dev/null
+++ b/data/reports/GO-2025-3912.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3912
+modules:
+ - module: github.com/consensys/gnark
+ versions:
+ - fixed: 0.14.0
+ vulnerable_at: 0.13.0
+ packages:
+ - package: github.com/consensys/gnark/std/signature/eddsa
+ symbols:
+ - Verify
+summary: |-
+ Gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing
+ scalar checks in github.com/consensys/gnark
+cves:
+ - CVE-2025-57801
+ghsas:
+ - GHSA-95v9-hv42-pwrj
+references:
+ - advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj
+ - fix: https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e
+ - web: https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e
+notes:
+ - create: failed to auto-populate symbols
+source:
+ id: GHSA-95v9-hv42-pwrj
+ created: 2025-08-27T18:24:11.620782439Z
+review_status: REVIEWED
