Skip to content

fix(security): remediate CVE vulnerabilities #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ulucinar wants to merge 1 commit into from
Closed

fix(security): remediate CVE vulnerabilities #19

ulucinar wants to merge 1 commit into from

Conversation

@ulucinar
Copy link

@ulucinar ulucinar commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.11
CVE-2025-61725 High stdlib go1.24.11
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.11
CVE-2025-58188 High stdlib go1.24.11
CVE-2025-58185 Medium stdlib go1.24.11
CVE-2025-47912 Medium stdlib go1.24.11
CVE-2025-58186 Medium stdlib go1.24.11
CVE-2025-61724 Medium stdlib go1.24.11
CVE-2025-58189 Medium stdlib go1.24.11
CVE-2025-58183 Medium stdlib go1.24.11
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated Go toolchain from go1.24.4 to go1.24.11 in go.mod
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0 in go.mod
  • Ran go mod tidy to update dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
9bfa72a 
- Update Go toolchain to go1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-61729, CVE-2025-58187, CVE-2025-58188, CVE-2025-58185,
  CVE-2025-47912, CVE-2025-58186, CVE-2025-61724, CVE-2025-58189,
  CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
Copy link
Author

ulucinar commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T09:12:00Z

Summary

The push check failed due to a 404 error when the upbound/action-up@v1 GitHub Action tried to download the up CLI version v0.39.0-384.g0a0c8634 from the CDN.

Root Cause

The upbound/action-up@v1 action is configured to download up CLI version v0.39.0-384.g0a0c8634 from https://cli.upbound.io, but this version is not available at the expected location, resulting in an HTTP 404 Not Found error.

This is a CI infrastructure issue, NOT related to the code changes in this PR. The actual package build and push to xpkg.upbound.io completed successfully before this failure occurred.

Error Details

##[error]Unexpected HTTP response: 404

The error occurs in the upbound/action-up@v1 step with:

Recommendation

Re-run the failed workflow. This is a transient infrastructure issue. If the problem persists, the workflow configuration may need to be updated to use an available version of the up CLI.

Note: All core build steps succeeded:

  • Build (amd64) ✓
  • Build (arm64) ✓
  • Unit tests ✓
  • Lint ✓
  • Package push to xpkg.upbound.io ✓

This analysis was generated by the build-failure-analyze skill.

@ulucinar ulucinar closed this Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulucinar