A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

Affected Packages

Go github.com/golang-fips/openssl

Affected versions: 0 (last affected: 2.0.3)

Related CVEs

CVE-2024-9355

Key Information

GHSA ID

GHSA-3h3x-2hwv-hr52

Published

October 1, 2024 9:31 PM

Last Modified

May 14, 2025 6:30 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/golang-fips/openssl

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.