⚠️ Outdated golang.org/x/crypto Dependency
This repository is currently using golang.org/x/crypto v0.14.0 but the latest version is v0.50.0.
Last scanned: 2026-05-03 09:26 UTC
Why Update?
Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.
🔒 Security Vulnerabilities Fixed in Newer Versions
The following CVEs have been addressed in versions after v0.14.0:
- CVE-2023-48795 (MODERATE): Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin - Fixed in
0.17.0 (details)
- CVE-2024-45337 (CRITICAL): Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto - Fixed in
0.31.0 (details)
- CVE-2025-22869 (HIGH): golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange - Fixed in
0.35.0 (details)
- CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in
0.45.0 (details)
- CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in
0.45.0 (details)
🤖 Recommendation: Enable Dependabot
This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your go.mod dependencies up-to-date and receive security alerts.
To enable Dependabot, create a .github/dependabot.yml file:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10See GitHub Dependabot documentation for more details.
📋 How to Update
Run the following command to update:
go get golang.org/x/crypto@v0.50.0
go mod tidy
Then run your tests and submit a PR with the changes.
🔗 Central Tracking
This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.
See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59
This issue is automatically managed by the xcrypto-lookup.sh scanner.
This repository is currently using
golang.org/x/crypto v0.14.0but the latest version isv0.50.0.Why Update?
Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.
🔒 Security Vulnerabilities Fixed in Newer Versions
The following CVEs have been addressed in versions after v0.14.0:
0.17.0(details)0.31.0(details)0.35.0(details)0.45.0(details)0.45.0(details)🤖 Recommendation: Enable Dependabot
This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your
go.moddependencies up-to-date and receive security alerts.To enable Dependabot, create a
.github/dependabot.ymlfile:See GitHub Dependabot documentation for more details.
📋 How to Update
Run the following command to update:
Then run your tests and submit a PR with the changes.
🔗 Central Tracking
This issue is part of an organization-wide effort to keep
golang.org/x/cryptodependencies up-to-date.See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59
This issue is automatically managed by the xcrypto-lookup.sh scanner.