The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message.
With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2023-1992" }