GCVE - cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Golang (`670356c5-bd1b-5c66-9eee-f755f5cec4c7`)
Product	Text (`f6e7a324-010a-5374-a3ff-6cb4f8f2025f`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/golang/text`	purl2cpe	2026-06-01 10:12:04.334889

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2022-32149`	vulnerable	2026-06-03 14:47:20.818645	Denial of service via crafted Accept-Language header in golang.org/x/text/language An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Published: 2022-10-14T00:00:00.000Z Updated: 2025-05-15T20:35:11.868Z Open on db.gcve.eu Reference links https://go.dev/issue/56152 https://go.dev/cl/442235 https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ https://pkg.go.dev/vuln/GO-2022-1059	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-38561`	vulnerable	2026-06-03 14:45:07.558607	Details available golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. Published: 2022-12-26T00:00:00.000Z Updated: 2025-04-14T16:15:14.817Z Open on db.gcve.eu Reference links https://groups.google.com/g/golang-announce https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f https://deps.dev/advisory/OSV/GO-2021-0113 https://pkg.go.dev/golang.org/x/text/language	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28852`	vulnerable	2026-06-03 14:42:21.760420	Details available In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) Published: 2021-01-02T05:45:53.000Z Updated: 2024-08-04T16:40:59.820Z Open on db.gcve.eu Reference links https://github.com/golang/go/issues/42536 https://security.netapp.com/advisory/ntap-20210212-0004/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-14040`	vulnerable	2026-06-03 14:41:37.735956	Details available The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. Published: 2020-06-17T19:22:31.000Z Updated: 2024-08-04T12:32:14.681Z Open on db.gcve.eu Reference links https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.