Go Version 1.23.12 Contains Multiple CVEs – Request for Upgrade

[ceesvanegmond]

Hi,

Starting today, we've identified several CVE vulnerabilities in the currently used Go version 1.23.12. Specifically, there are 10 CVEs, all originating from the stdlib library.
Would it be possible to upgrade to a newer Go version to address these issues?

Will post the CVE's in a seperate comment
Thanks!

[ceesvanegmond]

========================================================================================================
Total: 10 (HIGH: 10, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-47912 │ HIGH     │ fixed  │ v1.23.12          │ 1.24.8, 1.25.2 │ [net/url: insufficient validation of bracketed IPv6        │
│         │                │          │        │                   │                │ hostnames]                                                 │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-47912                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58183 │          │        │                   │                │ [archive/tar: unbounded allocation when parsing GNU sparse │
│         │                │          │        │                   │                │ map]                                                       │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58183                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58185 │          │        │                   │                │ [encoding/asn1: pre-allocating memory when parsing DER     │
│         │                │          │        │                   │                │ payload can cause memory exhaustion]                       │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58185                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58186 │          │        │                   │                │ [net/http: lack of limit when parsing cookies can cause    │
│         │                │          │        │                   │                │ memory exhaustion]                                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58186                 │
│         ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58187 │          │        │                   │ 1.24.9, 1.25.3 │ [crypto/x509: quadratic complexity when checking name      │
│         │                │          │        │                   │                │ constraints]                                               │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58187                 │
│         ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58188 │          │        │                   │ 1.24.8, 1.25.2 │ [crypto/x509: panic when validating certificates with DSA  │
│         │                │          │        │                   │                │ public keys]                                               │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58188                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58189 │          │        │                   │                │ [crypto/tls: ALPN negotiation errors can contain arbitrary │
│         │                │          │        │                   │                │ text]                                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58189                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61723 │          │        │                   │                │ [encoding/pem: quadratic complexity when parsing some      │
│         │                │          │        │                   │                │ invalid inputs]                                            │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61723                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61724 │          │        │                   │                │ [net/textproto: excessive CPU consumption in               │
│         │                │          │        │                   │                │ Reader.ReadResponse]                                       │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61724                 │
│         ├────────────────┤          │        │                   │                ├────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61725 │          │        │                   │                │ [net/mail: excessive CPU consumption in ParseAddress]      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61725                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘

[ceesvanegmond]

Related: #4301

[yaya-haj]

Any updates on this issue? My CI is breaking because of it.

[arthurkz]

It's seems to have a PR opened to resolve that https://github.com/evanw/esbuild/pull/4317

[evanw]

Upgrading from Go 1.23 to Go 1.24 drops support for certain Linux kernel versions, so it's a breaking change and will have to be done in a separate breaking change release.

I've looked through these CVEs and they're all irrelevant to esbuild as usual. The relevant library code is either not used by esbuild at all or only relevant for production web servers, which esbuild's development server is not.

So if you're running some tool that is refusing to allow you to run esbuild, you'll need to add an exception for esbuild to that tool in the meantime.

[Orrison]

Upgrading from Go 1.23 to Go 1.24 drops support for certain Linux kernel versions, so it's a breaking change and will have to be done in a separate breaking change release.

I've looked through these CVEs and they're all irrelevant to esbuild as usual. The relevant library code is either not used by esbuild at all or only relevant for production web servers, which esbuild's development server is not.

So if you're running some tool that is refusing to allow you to run esbuild, you'll need to add an exception for esbuild to that tool in the meantime.

Hey @evanw, thank you so much for everything you do!

I totally understand that the CVE's themselves are not relevant directly to esbuild. But I am sure as you know, auditing scans and processes never care. We can of course add exceptions or explanation which we will need to do in the meantime.

I just wanted to ask when you think the next breaking change release that would include these updates would be?

[evanw]

I understand that it’s annoying for everyone involved. This time it’s more complicated due to the npm publishing changes being rolled out in November. I’m changing esbuild’s publishing process over to use trusted publishing. On top of that, I’m also considering changing esbuild’s executable a bit to hopefully prevent these scanners from annoying everyone again like this in the future.

I have limited time this week to work on all of that but I am working on it and I’m hoping that I can get to all of that sometime this week or next. These steps need a good chunk of time so that I’m available afterward in case something goes wrong (a broken package is even worse than a working package that scanners don’t like). I assure you that all of this is my top priority for esbuild right now.

[Orrison]

I understand that it’s annoying for everyone involved. This time it’s more complicated due to the npm publishing changes being rolled out in November. I’m changing esbuild’s publishing process over to use trusted publishing. On top of that, I’m also considering changing esbuild’s executable a bit to hopefully prevent these scanners from annoying everyone again like this in the future.

I have limited time this week to work on all of that but I am working on it and I’m hoping that I can get to all of that sometime this week or next. These steps need a good chunk of time so that I’m available afterward in case something goes wrong (a broken package is even worse than a working package that scanners don’t like). I assure you that all of this is my top priority for esbuild right now.

Of course, thank you so much!