data/reports: add 15 reports

  - data/reports/GO-2025-3962.yaml
  - data/reports/GO-2025-3963.yaml
  - data/reports/GO-2025-3964.yaml
  - data/reports/GO-2025-3965.yaml
  - data/reports/GO-2025-3966.yaml
  - data/reports/GO-2025-3967.yaml
  - data/reports/GO-2025-3968.yaml
  - data/reports/GO-2025-3969.yaml
  - data/reports/GO-2025-3970.yaml
  - data/reports/GO-2025-3971.yaml
  - data/reports/GO-2025-3972.yaml
  - data/reports/GO-2025-3973.yaml
  - data/reports/GO-2025-3974.yaml
  - data/reports/GO-2025-3976.yaml
  - data/reports/GO-2025-3977.yaml

Fixes #3962
Fixes #3963
Fixes #3964
Fixes #3965
Fixes #3966
Fixes #3967
Fixes #3968
Fixes #3969
Fixes #3970
Fixes #3971
Fixes #3972
Fixes #3973
Fixes #3974
Fixes #3976
Fixes #3977

Change-Id: I9e030aae978bf9dbd3e83871c1bfa00ee0f3e1df
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/705856
Reviewed-by: Markus Kusano <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Ethan Lee <[email protected]>

Author: ethanalee-work

data/osv/GO-2025-3962.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3962",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59341",
+    "GHSA-49pv-gwxp-532r"
+  ],
+  "summary": "esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh",
+  "details": "esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/esm-dev/esm.sh",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59341"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/esm-dev/esm.sh/commit/492de92850dd4d350c8b299af541f87541e58a45"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3962",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3963.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3963",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59348",
+    "GHSA-2qgr-gfvj-qpcr"
+  ],
+  "summary": "Dragonfly incorrectly handles a task structure’s usedTrac field in d7y.io/dragonfly",
+  "details": "Dragonfly incorrectly handles a task structure’s usedTrac field in d7y.io/dragonfly",
+  "affected": [
+    {
+      "package": {
+        "name": "d7y.io/dragonfly/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/dragonflyoss/dragonfly",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59348"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3963",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3964.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3964",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59349",
+    "GHSA-8425-8r2f-mrv6"
+  ],
+  "summary": "Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly",
+  "details": "Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly",
+  "affected": [
+    {
+      "package": {
+        "name": "d7y.io/dragonfly/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/dragonflyoss/dragonfly",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59349"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3964",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3965.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3965",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59345",
+    "GHSA-89vc-vf32-ch59"
+  ],
+  "summary": "Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly",
+  "details": "Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly",
+  "affected": [
+    {
+      "package": {
+        "name": "d7y.io/dragonfly/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/dragonflyoss/dragonfly",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59345"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3965",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3966.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3966",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59347",
+    "GHSA-98x5-jw98-6c97"
+  ],
+  "summary": "Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly",
+  "details": "Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly",
+  "affected": [
+    {
+      "package": {
+        "name": "d7y.io/dragonfly/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/dragonflyoss/dragonfly",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3966",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3967.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3967",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-59342",
+    "GHSA-g2h5-cvvr-7gmw"
+  ],
+  "summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh",
+  "details": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/esm-dev/esm.sh",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3967",
+    "review_status": "UNREVIEWED"
+  }
+}