chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed by NumaryBot · Pull Request #118 · formancehq/auth

NumaryBot · 2025-11-20T02:32:49Z

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/crypto	indirect	minor	`v0.43.0` -> `v0.45.0`

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

NumaryBot · 2025-11-20T02:32:53Z

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

5 additional dependencies were updated

Details:

Package	Change
`golang.org/x/text`	`v0.30.0` -> `v0.31.0`
`golang.org/x/net`	`v0.45.0` -> `v0.47.0`
`golang.org/x/sync`	`v0.17.0` -> `v0.18.0`
`golang.org/x/sys`	`v0.37.0` -> `v0.38.0`
`golang.org/x/tools`	`v0.37.0` -> `v0.38.0`

coderabbitai · 2025-11-20T02:33:05Z

📝 Walkthrough

Walkthrough

The pull request updates six indirect and direct dependencies in go.mod to newer versions. These include updates to golang.org/x/text, golang.org/x/crypto, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, and golang.org/x/tools. No new dependencies are introduced or removed.

Changes

Cohort / File(s)	Summary
Dependency version bumps `go.mod`	Updated six golang.org/x/* packages: text (v0.30.0→v0.31.0), crypto (v0.43.0→v0.45.0), net (v0.45.0→v0.47.0), sync (v0.17.0→v0.18.0), sys (v0.37.0→v0.38.0), tools (v0.37.0→v0.38.0).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

All changes are mechanical version bumps with no logic modifications
Homogeneous pattern across all updates simplifies verification
No control flow or behavior changes introduced

Poem

🐰 The versions climb higher, each module spins true,
golang.org/x/* grows stronger anew,
No breaking changes here, just patches and care,
Hopping forward with grace through the dependency air!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title focuses on updating golang.org/x/crypto to v0.45.0, but the PR also updates five other dependencies as a cascading effect of the go get run.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

📝 Generate docstrings

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

CVE-2025: Authentication required, not authenticated - You need to authenticate to access this operation.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

chore(deps): update module golang.org/x/crypto to v0.45.0 [security]

31e746b

NumaryBot added the security label Nov 20, 2025

NumaryBot enabled auto-merge (squash) November 20, 2025 02:32

NumaryBot changed the title ~~chore(deps): update module golang.org/x/crypto to v0.45.0 [security]~~ chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed Jan 3, 2026

NumaryBot closed this Jan 3, 2026

auto-merge was automatically disabled January 3, 2026 02:35
Pull request was closed

NumaryBot deleted the renovate/go-golang.org-x-crypto-vulnerability branch January 3, 2026 02:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed#118

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed#118
NumaryBot wants to merge 1 commit intomainfrom
renovate/go-golang.org-x-crypto-vulnerability

NumaryBot commented Nov 20, 2025 •

edited

Loading

Uh oh!

NumaryBot commented Nov 20, 2025

Uh oh!

coderabbitai bot commented Nov 20, 2025 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Review ran into problems

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

NumaryBot commented Nov 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-58181

CVE-2025-47914

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

Details

Severity

References

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

Details

Severity

References

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

Details

Severity

References

Unbounded memory consumption in golang.org/x/crypto/ssh

Details

Severity

References

Configuration

Uh oh!

NumaryBot commented Nov 20, 2025

ℹ Artifact update notice

File name: go.mod

Uh oh!

coderabbitai bot commented Nov 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Pre-merge checks and finishing touches

Review ran into problems

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

NumaryBot commented Nov 20, 2025 •

edited

Loading

coderabbitai bot commented Nov 20, 2025 •

edited

Loading