Safeguard
Open Source Security

Go vulnerability database (govulncheck) trend report

Go's vulnerability database is scaling fast and stdlib CVEs are clustering. Here's what govulncheck vulnerability trends reveal about reachability, typosquats, and risk.

Vikram Iyer
Cloud Security Engineer
7 min read

The Go Vulnerability Database crossed another quiet milestone this year: advisory IDs are now routinely issued in the GO-2026-4xxx range, up from GO-2023-2xxx just three years ago — a pace that puts govulncheck vulnerability trends squarely on the radar of every security team shipping Go in production. Behind the numbering scheme is a database that has gone from a niche Go-team side project to the de facto reachability layer that OSV-Scanner, GitHub's dependency graph, and a growing list of commercial scanners now build on top of. The story in 2025 and into 2026 isn't just "more CVEs" — it's a standard library taking direct hits in its most security-sensitive packages, a supply chain layer that keeps getting typosquatted, and a scanning model (call-graph reachability) that is quietly becoming the industry's answer to alert fatigue.

A Database Under Pressure: The Numbers

The Go Vulnerability Database (vuln.go.dev) ingests from the National Vulnerability Database, the GitHub Advisory Database, package maintainer reports, and direct submissions to the Go Security team, then republishes them as GO-ID advisories that govulncheck consumes natively. Advisory IDs like GO-2026-4452, GO-2026-4559, and GO-2026-4984 — all live entries as of mid-2026 — show a database that has scaled well past its early "curated handful" reputation. Every one of those entries carries structured, symbol-level metadata: which functions are vulnerable, not just which module versions. That's the detail govulncheck uses to determine whether your code actually calls into the flawed code path, rather than merely importing a package that happens to contain one somewhere in its dependency tree.

That symbol-level precision is the whole reason govulncheck vulnerability trends look different from trends in other ecosystem scanners. A naive SCA tool flags every module version match; govulncheck (and by extension OSV-Scanner, which embeds govulncheck's analysis engine for Go source scanning) narrows that list down to what's reachable from your actual call graph. Teams running it at scale have reported the gap between "flagged" and "reachable" running as high as 90%+ noise reduction on large codebases — a number that matters enormously as the raw advisory count keeps climbing.

Standard Library Under the Microscope

The most consequential govulncheck vulnerability trend of the past year isn't in some obscure third-party module — it's in the Go standard library itself, the code every single Go binary links against by default.

  • CVE-2025-22871net/http improperly accepted a bare line-feed (LF) as a chunk-size terminator in chunked transfer encoding, opening the door to HTTP request smuggling against front-end/back-end proxy pairs that disagree on framing.
  • CVE-2025-58187 and CVE-2025-61729 — both in crypto/x509, involving inefficient algorithmic complexity (CWE-407) and uncontrolled resource consumption (CWE-400) respectively, giving attackers a denial-of-service lever via crafted certificates.
  • CVE-2025-61730 — a crypto/tls flaw permitting information disclosure during the TLS 1.3 handshake.
  • CVE-2025-68121 — also in crypto/tls: if a Config's ClientCAs or RootCAs fields are mutated between an initial handshake and a resumed one (a pattern common with Config.Clone() or GetConfigForClient), a resumed session can succeed when the original handshake would have failed — a subtle trust-boundary bug with real authentication-bypass implications.

The Go team shipped fixes across Go 1.24.13, 1.25.7, and the 1.26.0-rc.3 release train to close these out. The clustering is notable: four distinct advisories touching net/http and crypto/tls/x509 inside a single patch cycle means teams pinned to an older Go toolchain weren't looking at "one CVE to triage," they were looking at a coordinated set of network-facing and cryptographic weaknesses landing at once. For any organization treating the Go toolchain version as a background dependency rather than a tracked artifact, this cluster is the clearest signal yet that stdlib versioning needs the same discipline as third-party module versioning.

The Supply Chain Angle: Typosquats Riding Shotgun

Standard library CVEs get patched through official channels and show up cleanly in govulncheck output. The harder problem — and a growing share of real-world Go vulnerability trends — is malicious code that never generates a CVE at all because it isn't a "vulnerability" in the classic sense; it's intentional.

Three incidents illustrate the pattern. In February 2025, github.com/boltdb-go/bolt — a near-identical typosquat of the widely used github.com/boltdb/bolt — was found shipping a remote-access backdoor with command-and-control callbacks. Once the module was cached by the Go Module Proxy, the maintainers' later attempt to scrub the malicious git tag on GitHub didn't matter: proxy.golang.org's immutability guarantees, designed for reproducible builds, kept serving the compromised version regardless. A separate case surfaced a typosquat of github.com/shopspring/decimal — an arbitrary-precision arithmetic library used across financial and infrastructure code — registered as shopsprint/decimal back in 2017 and weaponized years later when a malicious init() function was slipped into a point release. Because Go's init() functions execute automatically at program startup with no call required, this class of attack sits entirely outside what call-graph reachability analysis is designed to catch — a useful reminder that reachability and provenance are complementary controls, not substitutes for each other. And in June 2025, GitLab's detection tooling caught github.com/qiniiu/qmgo, a typosquat of the popular MongoDB driver github.com/qiniu/qmgo — with a near-identical second squat, qiiniu/qmgo, reappearing just four days after the first was pulled.

The common thread: the Go Module Proxy's cache-forever design, built to guarantee reproducible builds, is a double-edged sword for security teams. It means a compromised module version can remain permanently fetchable long after the source repository is cleaned up or deleted — which is exactly why software bill-of-materials (SBOM) visibility into exact resolved versions, not just declared dependencies, has become non-negotiable for Go shops.

Why Reachability Changes the Calculus

Put the two trends together — a standard library issuing coordinated CVE clusters, and a module ecosystem where typosquats and long-dormant backdoors can surface years after publication — and you get the core tension in govulncheck vulnerability trends today: raw advisory volume is rising faster than most teams' triage capacity, and generic version-matching scanners amplify the problem instead of solving it.

govulncheck's answer is call-graph analysis: it builds a static call graph of your binary and checks whether any path actually reaches a known-vulnerable symbol. This is a meaningful advance over "your go.mod contains a vulnerable version" — but it has real limits worth naming plainly. It only checks against the Go vulnerability database (missing advisories that live solely in NVD or GHSA formats without a GO-ID mirror), it analyzes statically rather than at runtime, and — as the init()-triggered backdoors above show — it isn't built to catch deliberately malicious code that doesn't correspond to a disclosed CVE at all. Reachability analysis is a precision upgrade for legitimate vulnerabilities, not a complete supply-chain security program by itself.

What This Means for Go Teams

Three practical takeaways fall out of this year's data. First, pin and track your Go toolchain version with the same rigor you apply to application dependencies — the stdlib CVE cluster proves the compiler and runtime are attack surface, not neutral infrastructure. Second, don't treat "govulncheck came back clean" as "we have no supply chain risk" — it means no known, reachable, CVE-tracked risk, which is a narrower claim than most teams assume. Third, given that proxy.golang.org can keep serving malicious code indefinitely, provenance and SBOM accuracy for exact resolved module versions matter as much as vulnerability scanning itself.

How Safeguard Helps

Safeguard closes the gap between what govulncheck can see and what Go supply chains actually need. Our reachability analysis extends beyond govulncheck's static call-graph model to correlate exploitability across your full dependency graph — including transitive modules pulled in by build tags and vendored code that pure symbol analysis can miss. Griffin AI, Safeguard's security reasoning engine, triages the resulting findings against real usage context, prioritizing the standard-library and third-party CVE clusters that matter for your specific binaries instead of surfacing every GO-ID match. Safeguard generates and ingests SBOMs at the exact resolved-version level — the same level of precision that would have flagged the boltdb-go and shopsprint typosquats before they shipped — and continuously diffs them against new advisories and known-malicious package signals. When a fix is available, Safeguard opens auto-fix pull requests that bump the Go toolchain or module version and re-run reachability checks automatically, so remediation doesn't stall in a backlog while advisory counts keep climbing.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.