golang

A subtle but dangerous bypass in the Go toolchain’s build logic lets attacker-controlled line directives slip unsafe compiler and linker flags into go builds — a flaw tracked as CVE-2023-39323 that can lead to arbitrary code execution during compilation and presents a material supply‑chain/CI...

Curve.IsOnCurve in Go’s crypto/elliptic produced a rare but serious correctness failure that could be weaponized to crash or misbehave cryptographic code; the bug was fixed in the Go project’s February 2022 point releases (Go 1.16.14 and Go 1.17.7), and maintainers and downstream vendors issued...

The Go standard library’s math/big package contained a subtle but dangerous bug in the Rat.SetString function that could be triggered by crafted input to force unbounded memory growth and crash services that parse or accept user-controlled rational numbers. The flaw — tracked as CVE-2022-23772 —...

CVE‑2023‑39319 is a real, exploitable weakness in Go’s html/template package that can allow a carefully crafted input to defeat the package’s escaping rules inside <script> contexts and open the door to reflected or stored cross‑site scripting (XSS); Microsoft’s public advisory identifies Azure...

A subtle bug in a popular Go markdown library quietly turned into a disruptive denial-of-service vector: a malformed citation in certain parser modes can trigger an out‑of‑bounds read and crash any application that renders untrusted input with the affected code path. This vulnerability, tracked...

GJSON versions before 1.9.3 contain a Regular Expression Denial of Service (ReDoS) flaw — tracked as CVE-2021-42836 — that can be triggered by crafted JSON paths or queries and allow an attacker to drive CPU consumption to the point of service disruption. Background / Overview GJSON is a widely...

A subtle bug in a widely used Go PostgreSQL driver has opened the door to SQL injection under a narrow—but realistic—set of conditions, and the fix requires immediate attention from any team that embeds the pgx library. The vulnerability, tracked as CVE-2024-27289, allows user-controlled input...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable Go net/http code, but it is the only Microsoft product Microsoft has publicly attested so far as “including the implicated open‑source library and therefore potentially...

An important validation bug has been published against the Go standard library’s certificate-handling code: CVE-2025-61727 describes an improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509, meaning that an excluded-subdomain constraint in a...

Elon Musk’s xAI has stepped into the agentic coding ring with Grok Code Fast 1, a new model the company is pitching as a speed-focused, budget-friendly assistant for real-world developer workflows — one optimized to call tools, edit files, and iterate inside IDEs with minimal lag. The...

Node.js has established itself as a bedrock technology for backend web development, thanks to its asynchronous programming model, robust JavaScript ecosystem, and continuous improvements since its inception in 2009. With giants like Netflix, PayPal, and LinkedIn building at scale on Node.js, its...