x/vuln: panic with: want variadic parameter of unnamed slice or string type #75584
Closed as duplicate of#73871
Description
govulncheck version
Go: go1.25.1
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2025-09-22 20:48:35 +0000 UTC
Does this issue reproduce at the latest version of golang.org/x/vuln?
Just ran go install golang.org/x/vuln/cmd/govulncheck@latest to confirm, yes it does.
Output of go env in your module/workspace:
AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/davidb/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/davidb/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/2z/0_wcqprj2zxb7y56d7_xyrh40000gn/T/go-build212355181=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/Users/davidb/src/golib/pkg/mod'
GONOPROXY='bitbucket.org/thetalake'
GONOSUMDB='bitbucket.org/thetalake'
GOOS='darwin'
GOPATH='/Users/davidb/src/golib:/Users/davidb/src/go'
GOPRIVATE='bitbucket.org/thetalake'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.25.1/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/Users/davidb/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.25.1/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.1'
GOWORK=''
PKG_CONFIG='pkg-config'What did you do?
This repo is marked as "do not use in publicly available modules", but chromedp, via chrome dev tools, are using it, so I've no choice as an indirect dependency.
go install golang.org/x/vuln/cmd/govulncheck@latest
git clone [email protected]:go-json-experiment/json.git
cd json
govulncheck ./...What did you see happen?
Is outputting a panic, which I believe it should not do.
panic: got github.com/go-json-experiment/json/jsontext.Value, want variadic parameter of unnamed slice or string type
goroutine 853 [running]:
go/types.NewSignatureType(0x0, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, 0x14009ce3e00, 0x14005e7aea0, 0x1)
/opt/homebrew/Cellar/go/1.25.1/libexec/src/go/types/signature.go:81 +0x2b8
golang.org/x/tools/go/ssa.(*subster).signature(0x1400a344cc0, 0x14006049080)
/Users/davidb/src/golib/pkg/mod/golang.org/x/[email protected]/go/ssa/subst.go:566 +0xd4
[...]
What did you expect to see?
A successful completion - not necessarily a vuln free one, but certainly without a panic.
In case this moves on and is actually fixed in the repo, the commit SHA where I can reproduce the problem locally is cc2cfa0554c3b4e80f3a96fc9f080ccf753e77aa.