The Go project reports:
The SetString and UnmarshalText methods of math/big.Rat may cause a
panic or an unrecoverable fatal error if passed inputs with very
large exponents.
ReverseProxy in net/http/httputil could be made to forward certain
hop-by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions in net, and their respective methods on the Resolver type
may return arbitrary values retrieved from DNS which do not follow
the established RFC 1035 rules for domain names. If these names are
used without further sanitization, for instance unsafely included in
HTML, they may allow for injection of unexpected content. Note that
LookupTXT may still return arbitrary values that could require
sanitization before further use.
The NewReader and OpenReader functions in archive/zip can cause a
panic or an unrecoverable fatal error when reading an archive that
claims to contain a large number of files, regardless of its actual
size.