You guys know I like to bash Go, but... FUCK!
"The Go security team has determined that the root causes of the vulnerabilities cannot be reliably addressed."
Ok, your language design has some serious flaw that can't be fixed, so they are basically saying "Yup, a core library is going to be vulnerable for a long time".
Also, this is going since August 2020, according to the related post. Project Zero works way fast (30 days) to disclose issues on every other project, but on a project from their own company, 4 months.
Google surely cares about the well-being of the internet, sure.
Link: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/