Skip to content

GO-2026-5932: The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used. #5080

Description

@AkihiroSuda

https://pkg.go.dev/vuln/GO-2026-5932

The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used. If you are required to interoperate with OpenPGP systems and need a maintained package, consider github.com/ProtonMail/go-crypto/openpgp which is a maintained fork that aims to be a drop-in replacement for this package.

$ go mod why golang.org/x/crypto/openpgp
# golang.org/x/crypto/openpgp
github.com/containerd/nerdctl/v2/pkg/cmd/image
github.com/containerd/imgcrypt/v2/images/encryption
github.com/containers/ocicrypt
golang.org/x/crypto/openpgp

Being fixed in:

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions