gitsafehub
github.com/bitcoin/bips ↗

bitcoin/bips

scanned 2026-06-30 · git f078d4f
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies68Known OSS vulnerabilities8Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 68 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2022-44797 btcd mishandles witness size checking
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2022-44797). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-38365 btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2024-38365). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-34478 btcd susceptible to consensus failures
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2024-34478). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2020-29652). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2020-7919). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2020-9283). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2021-43565). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2022-27191). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-45337 golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2024-45337). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47913 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2025-47913). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39827 An authenticated SSH client that repeatedly opened channels which were ...
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39827). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39828). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39829). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39830). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39832 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39832). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39835 SSH servers which use CertChecker as a public key callback without set ...
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-39835). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-42508). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-46595). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46597 An incorrectly placed cast from bytes to int allowed for server-side p ...
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2026-46597). Fix: Update that package to its patched version.
  • Worth fixing CVE-2019-11840 golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2019-11840). Fix: Update that package to its patched version.
  • Worth fixing CVE-2019-11841 A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2019-11841). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2023-48795). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47914 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
    bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
… 43 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 8 found · 1 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GO-2022-1098 Denial of service in message decoding in github.com/btcsuite/btcd
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2022-44797). Fix: Update that package to its patched version.
  • Worth fixing GO-2024-3189 Consensus failure in github.com/btcsuite/btcd
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2024-38365). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vqpr-j7v3-hqw9 Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0360/ref-impl/js/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66020). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vqpr-j7v3-hqw9 Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0360/ref-impl/js/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66020). Fix: Update that package to its patched version.
  • FYI GO-2024-2818 Consensus failures in github.com/btcsuite/btcd
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0158/go.mod
    A package you depend on has a known security hole (CVE-2024-34478). Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0190 Unsoundness in `Error::downcast_mut()`
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0360/ref-impl/rust/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0360/ref-impl/rust/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`
    /workdirs/scan-d97efeb2-5d86-40b2-b0fb-45d3a757a585/bip-0360/ref-impl/rust/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.