Skip to content

Bump library versions to resolve several vulns#467

Merged
bojand merged 2 commits intobojand:masterfrom
KrisKennawayDD:kris.kennaway/bump-x-libs
Dec 7, 2025
Merged

Bump library versions to resolve several vulns#467
bojand merged 2 commits intobojand:masterfrom
KrisKennawayDD:kris.kennaway/bump-x-libs

Conversation

@KrisKennawayDD
Copy link
Contributor

@KrisKennawayDD KrisKennawayDD commented Nov 14, 2025
edited
Loading

Resolves several vulns by updating to newer library versions. Also updates the go requirement to 1.23.0 which is required by at least one of these libs.

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.22.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                        │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization    │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                             │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337                │
│                     ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22869 │ HIGH     │        │                   │ 0.35.0        │ golang.org/x/crypto/ssh: Denial of Service in the Key     │
│                     │                │          │        │                   │               │ Exchange of golang.org/x/crypto/ssh                       │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22869                │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22870 │ MEDIUM   │        │ v0.24.0           │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:  │
│                     │                │          │        │                   │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22870                │
│                     ├────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22872 │          │        │                   │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input  │
│                     │                │          │        │                   │               │ During Web Page Generation in x/net in...                 │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872                │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │        │ v0.18.0           │ 0.27.0        │ golang.org/x/oauth2/jws: Unexpected memory consumption    │
│                     │                │          │        │                   │               │ during token parsing in golang.org/x/oauth2/jws           │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22868                │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

(Tests in github.com/bojand/ghz/runner are failing but they are also failing the same way on master)

@KrisKennawayDD KrisKennawayDD marked this pull request as ready for review November 14, 2025 11:15
@KrisKennawayDD
Copy link
Contributor Author

KrisKennawayDD commented Dec 2, 2025

@bojand When you have the chance could you please take a look at this dependency update PR?

@bojand
Copy link
Owner

bojand commented Dec 3, 2025

Hello, thanks for the PR. I'll try and merge and release this soon, later this week or over the weekend.

@bojand bojand merged commit b67cdd6 into bojand:master Dec 7, 2025
2 of 4 checks passed
This was referenced Dec 7, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KrisKennawayDD @bojand