Skip to content

fix(security): remediate CVE vulnerabilities #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ulucinar merged 1 commit into from
Jan 22, 2026
Merged

fix(security): remediate CVE vulnerabilities #18

ulucinar merged 1 commit into from
Jan 22, 2026

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.11
CVE-2025-61725 High stdlib go1.24.11
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.11
CVE-2025-58188 High stdlib go1.24.11
CVE-2025-58185 Medium stdlib go1.24.11
CVE-2025-47912 Medium stdlib go1.24.11
CVE-2025-58186 Medium stdlib go1.24.11
CVE-2025-61724 Medium stdlib go1.24.11
CVE-2025-58189 Medium stdlib go1.24.11
CVE-2025-58183 Medium stdlib go1.24.11
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated Go toolchain from go1.24.4 to go1.24.11 in go.mod
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0 in go.mod
  • Ran go mod tidy to update go.sum

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
08aaaba 
- Update Go toolchain to 1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-61729, CVE-2025-58187, CVE-2025-58188, CVE-2025-58185,
  CVE-2025-47912, CVE-2025-58186, CVE-2025-61724, CVE-2025-58189,
  CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
ulucinar
ulucinar approved these changes Jan 22, 2026
View reviewed changes
Copy link

@ulucinar ulucinar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The agent has resolved the issue in a slightly different way than what we probably would do but...
The fix is effective.

@ulucinar
Copy link

ulucinar commented Jan 22, 2026

We would normally have a secondary goal to make the Go version consistent across the repositories.

@ulucinar ulucinar merged commit 777e7a0 into release-0.3 Jan 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar