apk package
wolfi/jitsucom-bulker-syncctl
pkg:apk/wolfi/jitsucom-bulker-syncctl
Vulnerabilities (80)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58190 | — | < 0 | 0 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 0 | 0 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-61732 | — | < 2.11.913-r4 | 2.11.913-r4 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-11065 | Med | 5.3 | < 2.11.0-r2 | 2.11.0-r2 | Jan 26, 2026 | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process | |
| CVE-2025-64702 | — | < 2.11.913-r36 | 2.11.913-r36 | Dec 11, 2025 | quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (man | ||
| CVE-2025-58181 | Med | 5.3 | < 0 | 0 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | |
| CVE-2025-47914 | Med | 5.3 | < 0 | 0 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | |
| CVE-2025-47913 | Hig | 7.5 | < 0 | 0 | Nov 13, 2025 | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | |
| CVE-2025-63811 | Hig | 7.5 | < 2.11.913-r1 | 2.11.913-r1 | Nov 12, 2025 | An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio. | |
| CVE-2025-61725 | Hig | 7.5 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. | |
| CVE-2025-61724 | Med | 5.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | |
| CVE-2025-61723 | Hig | 7.5 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | |
| CVE-2025-58189 | Med | 5.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | |
| CVE-2025-58188 | Hig | 7.5 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | |
| CVE-2025-58187 | Hig | 7.5 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | |
| CVE-2025-58186 | Med | 5.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. | |
| CVE-2025-58185 | Med | 5.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. | |
| CVE-2025-58183 | Med | 4.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-47912 | Med | 5.3 | < 2.11.913-r0 | 2.11.913-r0 | Oct 29, 2025 | The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse | |
| CVE-2025-59530 | Hig | 7.5 | < 2.11.913-r35 | 2.11.913-r35 | Oct 10, 2025 | quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir |
- CVE-2025-58190Feb 5, 2026affected < 0fixed 0
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 0fixed 0
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-61732Feb 5, 2026affected < 2.11.913-r4fixed 2.11.913-r4
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- affected < 2.11.0-r2fixed 2.11.0-r2
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
- CVE-2025-64702Dec 11, 2025affected < 2.11.913-r36fixed 2.11.913-r36
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (man
- affected < 0fixed 0
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- affected < 0fixed 0
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- affected < 0fixed 0
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
- affected < 2.11.913-r1fixed 2.11.913-r1
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
- affected < 2.11.913-r0fixed 2.11.913-r0
The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
- affected < 2.11.913-r0fixed 2.11.913-r0
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
- affected < 2.11.913-r0fixed 2.11.913-r0
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
- affected < 2.11.913-r0fixed 2.11.913-r0
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
- affected < 2.11.913-r0fixed 2.11.913-r0
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
- affected < 2.11.913-r0fixed 2.11.913-r0
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
- affected < 2.11.913-r0fixed 2.11.913-r0
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
- affected < 2.11.913-r0fixed 2.11.913-r0
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
- affected < 2.11.913-r0fixed 2.11.913-r0
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- affected < 2.11.913-r0fixed 2.11.913-r0
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
- affected < 2.11.913-r35fixed 2.11.913-r35
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir
Page 3 of 4