All Gin CVEs — Complete Vulnerability History
Gin is Go's most popular HTTP framework. CVEs are relatively rare. The main CVE is a filename enumeration via Content-Disposition header manipulation.
Go
N/A weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-28483 | 2020 | HIGH | Traversal via Route parameter | Fixed v1.7.0 |
| CVE-2023-29401 | 2023 | MEDIUM | Filename enumeration via Content-Disposition | Fixed v1.9.1 |
Current safe version: v1.9.1
# Before
"github.com/gin-gonic/gin v1.7.0"
# After
"github.com/gin-gonic/gin v1.9.1"
Then run: go mod tidy
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Gin have many security CVEs?
No — Gin has had very few direct CVEs given its popularity. Most Go HTTP security issues come from the standard library's net/http, which is maintained by Google. Keep both Gin and Go itself updated.
Is Gin or Echo faster for security patching?
Both have responsive maintainer teams. For security-sensitive applications, consider also using security middleware like gin-contrib/secure for HTTP security headers.