data/reports: add 4 reports

  - data/reports/GO-2025-3463.yaml
  - data/reports/GO-2025-3498.yaml
  - data/reports/GO-2025-3499.yaml
  - data/reports/GO-2025-3500.yaml

Fixes #3463
Fixes #3498
Fixes #3499
Fixes #3500

Change-Id: Ibfa6cf4d39b364c0971aebd76ae850a71574c973
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/655095
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Auto-Submit: Neal Patel <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3463.json

@@ -0,0 +1,144 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3463",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-6fgm-x6ff-w78f"
+  ],
+  "summary": "DoS may temporarily disable IBC transfers to native chain in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware",
+  "details": "DoS may temporarily disable IBC transfers to native chain in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v4",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v6",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v7",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.2.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v7/packetforward",
+            "symbols": [
+              "AppModule.ConsensusVersion",
+              "AppModule.RegisterServices",
+              "Keeper.WriteAcknowledgementForForwardedPacket"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.1.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v8/packetforward",
+            "symbols": [
+              "AppModule.ConsensusVersion",
+              "AppModule.RegisterServices",
+              "Keeper.WriteAcknowledgementForForwardedPacket"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cosmos/ibc-apps/security/advisories/GHSA-6fgm-x6ff-w78f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cosmos/ibc-apps/releases/tag/middleware%2Fpacket-forward-middleware%2Fv7.2.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cosmos/ibc-apps/releases/tag/middleware%2Fpacket-forward-middleware%2Fv8.1.1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3463",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2025-3498.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3498",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27421",
+    "GHSA-vh64-54px-qgf8"
+  ],
+  "summary": "Goroutine Leak in Abacus SSE Implementation in github.com/jasonlovesdoggo/abacus",
+  "details": "Goroutine Leak in Abacus SSE Implementation in github.com/jasonlovesdoggo/abacus",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/jasonlovesdoggo/abacus",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250302043802-898ff1204e11"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27421"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/JasonLovesDoggo/abacus/commit/78fdb9b48b7f6d08ed0cd41077509c0a97071552"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3498",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3499.json

@@ -0,0 +1,141 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3499",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27507",
+    "GHSA-f3gh-529w-v32x"
+  ],
+  "summary": "IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel",
+  "details": "IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel before v2.63.8, from v2.64.0 before v2.64.5, from v2.65.0 before v2.65.6, from v2.66.0 before v2.66.11, from v2.67.0 before v2.67.8, from v2.68.0 before v2.68.4, from v2.69.0 before v2.69.4, from v2.70.0 before v2.70.1.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/zitadel/zitadel",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.63.8"
+              },
+              {
+                "introduced": "2.64.0"
+              },
+              {
+                "fixed": "2.64.5"
+              },
+              {
+                "introduced": "2.65.0"
+              },
+              {
+                "fixed": "2.65.6"
+              },
+              {
+                "introduced": "2.66.0"
+              },
+              {
+                "fixed": "2.66.11"
+              },
+              {
+                "introduced": "2.67.0"
+              },
+              {
+                "fixed": "2.67.8"
+              },
+              {
+                "introduced": "2.68.0"
+              },
+              {
+                "fixed": "2.68.4"
+              },
+              {
+                "introduced": "2.69.0"
+              },
+              {
+                "fixed": "2.69.4"
+              },
+              {
+                "introduced": "2.70.0"
+              },
+              {
+                "fixed": "2.70.1"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27507"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.0"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3499",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3500.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3500",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-27155",
+    "GHSA-fr62-mg2q-7wqv"
+  ],
+  "summary": "In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim in github.com/matrix-org/pinecone",
+  "details": "In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim in github.com/matrix-org/pinecone",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/matrix-org/pinecone",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/matrix-org/pinecone/security/advisories/GHSA-fr62-mg2q-7wqv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27155"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3500",
+    "review_status": "UNREVIEWED"
+  }
+}