x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-h773-7gf7-9m2x #4043
Description
Advisory GHSA-h773-7gf7-9m2x references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/neuvector/neuvector |
Description:
Impact
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.
During rolling upgrade or restoring from persistent s...
References:
- ADVISORY: GHSA-h773-7gf7-9m2x
- ADVISORY: GHSA-h773-7gf7-9m2x
- FIX: neuvector/neuvector@084a437
Cross references:
- github.com/neuvector/neuvector appears in 5 other report(s):
- data/excluded/GO-2023-2103.yaml (x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-622h-h2p8-743x #2103) EFFECTIVELY_PRIVATE
- data/reports/GO-2024-3201.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22644 #3201)
- data/reports/GO-2025-3917.yaml (x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8ff6-pc43-jwv3 #3917)
- data/reports/GO-2025-3918.yaml (x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8pxw-9c75-6w56 #3918)
- data/reports/GO-2025-3919.yaml (x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-w54x-xfxg-4gxq #3919)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/neuvector/neuvector
versions:
- introduced: 0.0.0-20230727023453-1c4957d53911
- fixed: 0.0.0-20251020133207-084a437033b4
non_go_versions:
- introduced: TODO (earliest fixed "5.4.7", vuln range ">= 5.3.0, <= 5.4.6")
summary: NeuVector is shipping cryptographic material into its binary in github.com/neuvector/neuvector
cves:
- CVE-2025-54471
ghsas:
- GHSA-h773-7gf7-9m2x
references:
- advisory: https://github.com/advisories/GHSA-h773-7gf7-9m2x
- advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x
- fix: https://github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88
notes:
- fix: 'module merge error: could not merge versions of module github.com/neuvector/neuvector: invalid or non-canonical semver version (found TODO (earliest fixed "5.4.7", vuln range ">= 5.3.0, <= 5.4.6"))'
- fix: 'github.com/neuvector/neuvector: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-h773-7gf7-9m2x
created: 2025-10-21T21:01:36.779147775Z
review_status: UNREVIEWED