Skip to content

x/vulndb: update fixed versions for GO-2026-4513 / duplicate GO-2026-4740 #5034

Open
Open
x/vulndb: update fixed versions for GO-2026-4513 / duplicate GO-2026-4740#5034
@shamaton

Description

@shamaton
shamaton
opened on May 24, 2026

Report IDs

  • GO-2026-4513
  • GO-2026-4740

Suggested edit

Please update the Go vulnerability database entries for shamaton/msgpack fixext DoS.

For GO-2026-4513:

  • Add fixed version 2.4.1 for module github.com/shamaton/msgpack/v2.
  • Add fixed version 3.1.1 for module github.com/shamaton/msgpack/v3.
  • Keep module github.com/shamaton/msgpack (v1) as no known fixed version, unless the Go team has contrary evidence.
  • Add alias/reference GHSA-h9q6-hc68-35rp, since GO-2026-4740 describes the same vulnerability from the GHSA source.

For GO-2026-4740:

  • This appears to be a duplicate of GO-2026-4513. Please withdraw/exclude/merge it as appropriate, or apply the same fixed-version data if it must remain served.

Evidence

Current incorrect behavior

As of 2026-05-24, pkg.go.dev/vuln still shows all versions, no known fixed for v2 and v3 in both reports, which makes fixed consumers of github.com/shamaton/msgpack/v2@v2.4.1 and github.com/shamaton/msgpack/v3@v3.1.1 look vulnerable.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions