# Go Security Threats

Security vulnerabilities and detection rules for Go. 90 rules across 54 CWE categories.

- Total rules: 90
- CWE categories: 54
- Critical rules: 7
- High severity: 40

## Frameworks

- Gin
- Echo
- Fiber
- Chi
- Gorilla
- Stdlib
- Net/http
- Go

## Top CWEs

- **CWE-693**: Protection Mechanism Failure
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
- **CWE-942**: Permissive Cross-domain Policy with Untrusted Domains
- **CWE-20**: Improper Input Validation
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-362**: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')
- **CWE-94**: Improper Control of Generation of Code ('Code Injection')
- **CWE-306**: Missing Authentication for Critical Function
- **CWE-319**: Cleartext Transmission of Sensitive Information
- **CWE-400**: Uncontrolled Resource Consumption
- **CWE-489**: Active Debug Code
- **CWE-639**: Authorization Bypass Through User-Controlled Key
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-502**: Deserialization of Untrusted Data
- **CWE-74**: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-90**: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- **CWE-93**: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- **CWE-113**: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')