Skip to content

fix(deps): vuln minor upgrades — 10 packages (minor: 9 · patch: 1) #22

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1783349849
Draft

fix(deps): vuln minor upgrades — 10 packages (minor: 9 · patch: 1) #22
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1783349849

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 10 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/crypto v0.25.0 v0.53.0 minor Transitive 17 CRITICAL, 8 HIGH, 14 MEDIUM
google.golang.org/grpc v1.65.0 v1.82.0 minor Transitive 3 CRITICAL
github.com/sirupsen/logrus v1.4.1 v1.9.4 minor Direct 3 HIGH
github.com/golang-jwt/jwt/v5 v5.2.1 v5.2.3 patch Transitive 3 HIGH
golang.org/x/net v0.27.0 v0.56.0 minor Transitive 2 HIGH, 8 MEDIUM, 7 UNKNOWN
golang.org/x/oauth2 v0.21.0 v0.36.0 minor Transitive 2 HIGH
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 v1.7.14 minor Transitive 1 MEDIUM
github.com/aws/aws-sdk-go-v2/service/lambda v1.56.1 v1.94.1 minor Transitive 1 MEDIUM
github.com/aws/aws-sdk-go-v2/service/s3 v1.58.0 v1.104.2 minor Transitive 1 MEDIUM
golang.org/x/sys v0.22.0 v0.46.0 minor Transitive 1 UNKNOWN

Security Details

🚨 Critical & High Severity (38 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GO-2026-5021 CRITICAL Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-5cgq-3rg8-m6cv CRITICAL golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @Revoked status v0.25.0 - -
golang.org/x/crypto GO-2026-5023 CRITICAL Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-v778-237x-gjrc CRITICAL Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto v0.25.0 0.31.0 -
golang.org/x/crypto CVE-2024-45337 critical - v0.25.0 - -
golang.org/x/crypto GO-2024-3321 critical Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto v0.25.0 0.31.0 -
golang.org/x/crypto GHSA-89gr-r52h-f8rx CRITICAL golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed v0.25.0 - -
golang.org/x/crypto GO-2026-5019 CRITICAL Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GO-2026-5017 CRITICAL Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-vgwf-h737-ff37 CRITICAL golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses v0.25.0 - -
golang.org/x/crypto GHSA-jppx-rxg9-jmrx CRITICAL golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints v0.25.0 - -
golang.org/x/crypto GHSA-x527-x647-q7gg CRITICAL golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement v0.25.0 - -
golang.org/x/crypto GO-2026-5020 CRITICAL Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GO-2026-5006 CRITICAL Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-f5wc-c3c7-36mc CRITICAL golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys v0.25.0 - -
golang.org/x/crypto GHSA-rm3j-f69w-wqmq CRITICAL golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes v0.25.0 - -
golang.org/x/crypto GO-2026-5005 CRITICAL Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.25.0 0.52.0 -
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.65.0 - -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.65.0 1.79.3 -
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.65.0 1.79.3 -
github.com/golang-jwt/jwt/v5 GO-2025-3553 HIGH Excessive memory allocation during header parsing in github.com/golang-jwt/jwt v5.2.1 5.2.2 -
github.com/golang-jwt/jwt/v5 GHSA-mh63-6h87-95cp HIGH jwt-go allows excessive memory allocation during header parsing v5.2.1 5.2.2 -
github.com/golang-jwt/jwt/v5 CVE-2025-30204 HIGH jwt-go allows excessive memory allocation during header parsing v5.2.1 - -
github.com/sirupsen/logrus GO-2025-4188 high Logrus is vulnerable to DoS when using Entry.writerScanner in github.com/sirupsen/logrus v1.4.1 1.8.3 -
github.com/sirupsen/logrus GHSA-4f99-4q7p-p3gh HIGH Logrus is vulnerable to DoS when using Entry.Writer() v1.4.1 1.8.3 -
github.com/sirupsen/logrus CVE-2025-65637 high - v1.4.1 - -
golang.org/x/crypto GO-2025-4116 HIGH Potential denial of service in golang.org/x/crypto/ssh/agent v0.25.0 0.43.0 -
golang.org/x/crypto GO-2026-5018 HIGH Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-q4h4-gmj2-qvw2 HIGH golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic v0.25.0 - -
golang.org/x/crypto GHSA-56w8-48fp-6mgv HIGH golang.org/x/crypto/ssh/agent has a potential denial of service v0.25.0 - -
golang.org/x/crypto GHSA-hcg3-q754-cr77 HIGH golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange v0.25.0 0.35.0 -
golang.org/x/crypto GO-2025-3487 HIGH Potential denial of service in golang.org/x/crypto v0.25.0 0.35.0 -
golang.org/x/crypto GHSA-w879-237q-wc7r HIGH golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS v0.25.0 - -
golang.org/x/crypto GO-2026-5013 HIGH Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/net GHSA-w32m-9786-jp63 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.27.0 - -
golang.org/x/net GO-2024-3333 HIGH Non-linear parsing of case-insensitive content in golang.org/x/net/html v0.27.0 0.33.0 -
golang.org/x/oauth2 GHSA-6v2p-p543-phr9 HIGH golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability v0.21.0 0.27.0 -
golang.org/x/oauth2 GO-2025-3488 HIGH Unexpected memory consumption during token parsing in golang.org/x/oauth2 v0.21.0 0.27.0 -
ℹ️ Other Vulnerabilities (33)
Package CVE Severity Summary Unsafe Version Fixed In Case
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream GHSA-xmrv-pmrh-hhx2 MODERATE Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder v1.6.3 1.7.8 -
github.com/aws/aws-sdk-go-v2/service/lambda GHSA-xmrv-pmrh-hhx2 MODERATE Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder v1.56.1 1.88.5 -
github.com/aws/aws-sdk-go-v2/service/s3 GHSA-xmrv-pmrh-hhx2 MODERATE Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder v1.58.0 1.97.3 -
golang.org/x/crypto GO-2026-5016 MODERATE Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-78mq-xcr3-xm33 MODERATE golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow v0.25.0 - -
golang.org/x/crypto GO-2026-5033 MODERATE Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.25.0 0.52.0 -
golang.org/x/crypto GO-2025-4135 MODERATE Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent v0.25.0 0.45.0 -
golang.org/x/crypto CVE-2025-47914 MODERATE - v0.25.0 - -
golang.org/x/crypto GHSA-f6x5-jh6r-wrfv MODERATE golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read v0.25.0 0.45.0 -
golang.org/x/crypto GHSA-j5w8-q4qc-rx2x MODERATE golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption v0.25.0 0.45.0 -
golang.org/x/crypto GO-2025-4134 MODERATE Unbounded memory consumption in golang.org/x/crypto/ssh v0.25.0 0.45.0 -
golang.org/x/crypto GHSA-9m57-25v3-79x9 MODERATE golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic v0.25.0 - -
golang.org/x/crypto CVE-2025-58181 MODERATE - v0.25.0 - -
golang.org/x/crypto GO-2026-5014 MODERATE Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/crypto GHSA-45gg-vh54-h5m9 MODERATE golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions v0.25.0 - -
golang.org/x/crypto GHSA-qpw4-5x99-6vjp MODERATE golang.org/x/crypto/ssh: Invoking memory leak when rejecting channels can lead to DoS v0.25.0 - -
golang.org/x/crypto GO-2026-5015 MODERATE Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.25.0 0.52.0 -
golang.org/x/net GHSA-vvgc-356p-c3xw MODERATE golang.org/x/net vulnerable to Cross-site Scripting v0.27.0 0.38.0 -
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.27.0 0.55.0 -
golang.org/x/net GO-2025-3503 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.27.0 0.36.0 -
golang.org/x/net GO-2025-3595 MODERATE Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net v0.27.0 0.38.0 -
golang.org/x/net GHSA-qxp5-gwg8-xv66 MODERATE HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net v0.27.0 0.36.0 -
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.27.0 0.45.0 -
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.27.0 - -
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.27.0 0.55.0 -
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.27.0 0.55.0 -
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.27.0 0.53.0 -
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.27.0 0.55.0 -
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.27.0 0.55.0 -
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.27.0 0.55.0 -
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.27.0 0.55.0 -
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.27.0 0.45.0 -
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.22.0 0.44.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants