Skip to content

fix(security): remediate CVE vulnerabilities#18

Merged
ulucinar merged 1 commit intorelease-0.3from
fix/cve-remediation-2026-01-22
Jan 22, 2026
Merged

fix(security): remediate CVE vulnerabilities#18
ulucinar merged 1 commit intorelease-0.3from
fix/cve-remediation-2026-01-22

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.11
CVE-2025-61725 High stdlib go1.24.11
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.11
CVE-2025-58188 High stdlib go1.24.11
CVE-2025-58185 Medium stdlib go1.24.11
CVE-2025-47912 Medium stdlib go1.24.11
CVE-2025-58186 Medium stdlib go1.24.11
CVE-2025-61724 Medium stdlib go1.24.11
CVE-2025-58189 Medium stdlib go1.24.11
CVE-2025-58183 Medium stdlib go1.24.11
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated Go toolchain from go1.24.4 to go1.24.11 in go.mod
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0 in go.mod
  • Ran go mod tidy to update go.sum

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
08aaaba 
- Update Go toolchain to 1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-61729, CVE-2025-58187, CVE-2025-58188, CVE-2025-58185,
  CVE-2025-47912, CVE-2025-58186, CVE-2025-61724, CVE-2025-58189,
  CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
ulucinar
ulucinar approved these changes Jan 22, 2026
View reviewed changes
Copy link

@ulucinar ulucinar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The agent has resolved the issue in a slightly different way than what we probably would do but...
The fix is effective.

@ulucinar
Copy link

ulucinar commented Jan 22, 2026

We would normally have a secondary goal to make the Go version consistent across the repositories.

@ulucinar ulucinar merged commit 777e7a0 into release-0.3 Jan 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@upbound-bot @ulucinar