The Wire · Showcase
MIME DECODER QUADRATIC COMPLEXITY PATCHED; FIPS 140-3 DOCS FINALIZED
By RepoJournal · Filed · About Go
Go shipped a critical fix for a denial-of-service vulnerability in the mime package's WordDecoder that could consume unbounded CPU on malformed headers [ref:1], while the security team locked down FIPS 140-3 cryptographic module documentation across the ecosystem.
The mime.WordDecoder.DecodeHeader fix [1] addresses CVE-2026-42504 by skipping entire undecodable encoded-words instead of byte-by-byte processing — a change that eliminates quadratic complexity attacks on email headers and similar MIME-encoded payloads. Simultaneously, the Go website finalized FIPS 140-3 guidance [2][3][4][5][6], shifting users from the legacy GODEBUG=fips140 flag toward the new GOFIPS140 environment variable and the crypto/fips140.Version API, with explicit warnings against the restrictive fips140=only mode. On the runtime front, goroutineleakprofile is now always-on by default [7] — there's no longer an experiment toggle to disable it, simplifying the profiling surface. The deprecation checker in cmd/api [8][9] fixed false positives and negatives by enforcing the spec: deprecated markers must start a paragraph, not hide mid-sentence. Go's build toolchain addressed a deadlock condition in cmd/go [10], while gopls expanded its linter arsenal with an errorsastype analyzer [11] to catch incorrect errors.As patterns. Over on pkg.go.dev, the API layer refactored package endpoints [12][13][14] to reduce payload redundancy and generalize pagination testing — changes that improve developer experience without breaking existing integrations.
Action items
- → Review and patch systems handling MIME-encoded email headers or HTTP payloads — this DoS fix is critical for production services golang/go [immediate]
- → Audit FIPS 140-3 deployments and migrate from GODEBUG=fips140 to GOFIPS140 environment variable golang/website [plan]
- → Update gopls and enable errorsastype linter in your CI pipeline for stricter error handling checks golang/tools [plan]
- → Monitor pkg.go.dev API pagination behavior after the refactor — no action needed unless you parse the raw API golang/pkgsite [monitor]
References
- [1] mime: avoid quadratic complexity in WordDecoder.DecodeHeader golang/go
- [2] _content/doc/security: add FIPS 140-3 Go Cryptographic Module changelog golang/website
- [3] _content/doc/security: document the inprocess and certified aliases golang/website
- [4] _content/doc/security: document crypto/fips140.Version golang/website
- [5] _content/doc/security: deemphasize GODEBUG=fips140 in favor of GOFIPS140 golang/website
- [6] _content/doc/security: discourage use of GODEBUG=fips140=only golang/website
- [7] internal/goexperiment,runtime: drop goroutineleakprofile experiment golang/go
- [8] cmd/api: fix false positive and false negative in isDeprecated golang/go
- [9] cmd/api/testdata: add test case for issue 79145 golang/go
- [10] cmd/go: fix potention deadlock golang/go
- [11] gopls: add errorsastype analyzer golang/tools
- [12] internal/api: add fields to PackageInfo golang/pkgsite
- [13] internal/tests/api: generalize pagination tests golang/pkgsite
- [14] internal/api: factor out common packages fields golang/pkgsite
FAQ
- What changed in Go on May 7, 2026?
- Go shipped a critical fix for a denial-of-service vulnerability in the mime package's WordDecoder that could consume unbounded CPU on malformed headers , while the security team locked down FIPS 140-3 cryptographic module documentation across the ecosystem.
- What should Go teams do about it?
- Review and patch systems handling MIME-encoded email headers or HTTP payloads — this DoS fix is critical for production services • Audit FIPS 140-3 deployments and migrate from GODEBUG=fips140 to GOFIPS140 environment variable • Update gopls and enable errorsastype linter in your CI pipeline for stricter error handling checks
- Which Go repositories shipped on May 7, 2026?
- golang/go, golang/website, golang/tools, golang/pkgsite