When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.CreditsNational Cyber Security Centre FinlandReferenceshttps://go.dev/cl/707776https://go.dev/issue/75652https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bIhttps://pkg.go.dev/vuln/GO-2025-4008
