A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate"s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists , or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites , as well as TLS 1.3-only clients, are unaffected