Golang.org/x/net

This hub aggregates every CVE we track for Golang.org/x/net, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Golang.org/x/net.

• CVE-2025-22872Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net6.5Apr 16, 2025
• CVE-2025-22870HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net4.4Mar 12, 2025
• CVE-2023-45288HTTP/2 CONTINUATION flood in net/http7.5Apr 4, 2024
• CVE-2023-39325HTTP/2 rapid reset can cause excessive work in net/http7.5Oct 11, 2023
• CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5Oct 10, 2023
• CVE-2023-3978Improper rendering of text nodes in golang.org/x/net/html6.1Aug 2, 2023
• CVE-2022-41723Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net7.5Feb 28, 2023
• CVE-2022-41721Request smuggling due to improper request handling in golang.org/x/net/http2/h2c7.5Jan 13, 2023
• CVE-2022-41717Excessive memory growth in net/http and golang.org/x/net/http25.3Dec 8, 2022
• CVE-2022-27664In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.7.5Sep 6, 2022
• CVE-2021-31525net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client ...5.9May 27, 2021
• CVE-2021-33194golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.7.5May 26, 2021
• CVE-2019-9512Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service7.5Aug 13, 2019
• CVE-2019-9514Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service7.5Aug 13, 2019
• CVE-2018-17846The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelec...7.5Oct 1, 2018