Skip to content

fix(security): remediate CVE vulnerabilities#28

Merged
ulucinar merged 1 commit into
release-0.3from
fix/cve-remediation-release-0.3-20260615-214831
Jun 15, 2026
Merged

fix(security): remediate CVE vulnerabilities#28
ulucinar merged 1 commit into
release-0.3from
fix/cve-remediation-release-0.3-20260615-214831

Conversation

@upbound-bot

@upbound-bot upbound-bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
GO-2026-5006 Critical golang.org/x/crypto v0.52.0
GO-2026-5023 Critical golang.org/x/crypto v0.52.0
GO-2026-5017 Critical golang.org/x/crypto v0.52.0
GO-2026-5020 Critical golang.org/x/crypto v0.52.0
GO-2026-5005 Critical golang.org/x/crypto v0.52.0
GO-2026-5021 Critical golang.org/x/crypto v0.52.0
GO-2026-5019 Critical golang.org/x/crypto v0.52.0
GO-2026-5026 Critical golang.org/x/net v0.55.0
CVE-2026-42504 High stdlib go1.25.11
GO-2026-5038 High stdlib go1.25.11
GO-2026-5013 High golang.org/x/crypto v0.52.0
GO-2026-5018 High golang.org/x/crypto v0.52.0
GO-2026-4918 High golang.org/x/net v0.55.0
CVE-2026-42507 Medium stdlib go1.25.11
GO-2026-5039 Medium stdlib go1.25.11
GO-2026-5033 Medium golang.org/x/crypto v0.52.0
GO-2026-5014 Medium golang.org/x/crypto v0.52.0
GO-2026-5015 Medium golang.org/x/crypto v0.52.0
GO-2026-5016 Medium golang.org/x/crypto v0.52.0
GO-2026-5028 Medium golang.org/x/net v0.55.0
GO-2026-5025 Medium golang.org/x/net v0.55.0
GO-2026-5027 Medium golang.org/x/net v0.55.0
GO-2026-5029 Medium golang.org/x/net v0.55.0
GO-2026-5030 Medium golang.org/x/net v0.55.0
CVE-2026-27145 Medium stdlib go1.25.11
GO-2026-5037 Medium stdlib go1.25.11
GO-2026-5024 Low golang.org/x/sys v0.45.0

Changes Made

  • Updated Go version from 1.25.10 to 1.25.11 in go.mod
  • Updated golang.org/x/crypto from v0.46.0 to v0.52.0
  • Updated golang.org/x/net from v0.48.0 to v0.55.0
  • Updated golang.org/x/sys from v0.39.0 to v0.45.0 (transitive dependency)
  • Updated CI workflow (.github/workflows/ci.yml) to use Go 1.25.11
  • Ran go mod tidy to update go.sum

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
3ba7f8d 
- Update Go version to 1.25.11 (fixes CVE-2026-42504, GO-2026-5038, CVE-2026-42507, GO-2026-5039, CVE-2026-27145, GO-2026-5037)
- Update golang.org/x/crypto to v0.52.0 (fixes GO-2026-5006, GO-2026-5023, GO-2026-5017, GO-2026-5020, GO-2026-5005, GO-2026-5021, GO-2026-5019, GO-2026-5013, GO-2026-5018, GO-2026-5033, GO-2026-5014, GO-2026-5015, GO-2026-5016)
- Update golang.org/x/net to v0.55.0 (fixes GO-2026-5026, GO-2026-5028, GO-2026-5025, GO-2026-5027, GO-2026-5029, GO-2026-5030, GO-2026-4918)
- Update golang.org/x/sys to v0.45.0 (fixes GO-2026-5024)
- Update CI workflow Go version to 1.25.11

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar ulucinar merged commit 5fa8e12 into release-0.3 Jun 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@upbound-bot @ulucinar