Is stdlib affected by CVE-2020-0601?

Go stdlib is affected in =1.13.0-0 <1.13.7.

Is CVE-2020-0601 being exploited?

Yes — it is on the CISA Known Exploited Vulnerabilities (KEV) list.

medium exploited in the wild

CVE-2020-0601

Q: Is CVE-2020-0601 being exploited?

Yes — it is on the CISA Known Exploited Vulnerabilities (KEV) list.

Go · stdlib

Summary

Certificate validation bypass on Windows in crypto/x509

Severity: medium
EPSS: 89.4% (p100)
Also known as: BIT-golang-2020-0601, GO-2022-0535
Published: 2022-08-01

References

https://go.dev/cl/215905
https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
https://go.dev/issue/36834

Related advisories

CVE-2026-27145 — medium · Go/stdlib
CVE-2026-42504 — medium · Go/stdlib
CVE-2026-42507 — medium · Go/stdlib
CVE-2026-39820 — medium · Go/stdlib
CVE-2026-33814 — medium · Go/stdlib
CVE-2026-39826 — medium · Go/stdlib
CVE-2026-33811 — medium · Go/stdlib
CVE-2026-42499 — medium · Go/stdlib

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.