gitsafehub
github.com/chen08209/flclash ↗

chen08209/flclash

scanned 2026-07-01 · git ac2f6b9
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies34Known OSS vulnerabilities86Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 120s

Vulnerable dependencies — Trivy 34 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47913 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-47913). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39827 An authenticated SSH client that repeatedly opened channels which were ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39827). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39828). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39829). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39830). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39832 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39832). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39835 golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39835). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-42508). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-46595). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46597 An incorrectly placed cast from bytes to int allowed for server-side p ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-46597). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47914 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39831). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39833 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39833). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH cha ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39834). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46598 golang.org/x/crypto/ssh/agent: golang: golang.org/x/crypto/ssh/agent: Denial of Service via malformed input
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-46598). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25680 Parsing arbitrary HTML can consume excessive CPU time, possibly leadin ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-25680). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25681 Parsing arbitrary HTML which is then rendered using Render can result ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-25681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27136 Parsing arbitrary HTML which is then rendered using Render can result ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-27136). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-33814). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-39821). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42502 Parsing arbitrary HTML which is then rendered using Render can result ...
    core/go.mod
    A package you depend on has a known security hole (CVE-2026-42502). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22872 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    core/go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
… 9 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 86 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GO-2025-3487 Potential denial of service in golang.org/x/crypto
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4135 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3503 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3488 Unexpected memory consumption during token parsing in golang.org/x/oauth2
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-22868). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/services/helper/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Minor RUSTSEC-2025-0023 Broadcast channel calls clone in parallel, but does not require `Sync`
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/plugins/rust_api/rust/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor RUSTSEC-2025-0023 Broadcast channel calls clone in parallel, but does not require `Sync`
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/services/helper/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2025-4116 Potential denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-47913). Fix: Update that package to its patched version.
  • FYI GO-2026-5005 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39833). Fix: Update that package to its patched version.
  • FYI GO-2026-5006 Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39832). Fix: Update that package to its patched version.
  • FYI GO-2026-5013 Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-46597). Fix: Update that package to its patched version.
  • FYI GO-2026-5014 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39828). Fix: Update that package to its patched version.
  • FYI GO-2026-5015 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39835). Fix: Update that package to its patched version.
  • FYI GO-2026-5016 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39827). Fix: Update that package to its patched version.
  • FYI GO-2026-5017 Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39830). Fix: Update that package to its patched version.
  • FYI GO-2026-5018 Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39829). Fix: Update that package to its patched version.
  • FYI GO-2026-5019 Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39831). Fix: Update that package to its patched version.
  • FYI GO-2026-5020 Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-39834). Fix: Update that package to its patched version.
  • FYI GO-2026-5021 Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-42508). Fix: Update that package to its patched version.
  • FYI GO-2026-5023 Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-46595). Fix: Update that package to its patched version.
  • FYI GO-2026-5033 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2026-46598). Fix: Update that package to its patched version.
  • FYI GO-2026-4440 Quadratic parsing complexity in golang.org/x/net/html
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-47911). Fix: Update that package to its patched version.
  • FYI GO-2026-4441 Infinite parsing loop in golang.org/x/net
    /workdirs/scan-01841cba-06d3-4c7f-8c9c-b2d26436ad51/core/go.mod
    A package you depend on has a known security hole (CVE-2025-58190). Fix: Update that package to its patched version.
… 61 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.7/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 1 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 1/30 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.