Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) #101

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/1-1781532235
Closed

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) #101
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/1-1781532235

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
github.com/jackc/pgx/v5 v5.7.4 v5.10.0 minor Transitive 4 CRITICAL, 1 LOW
google.golang.org/grpc v1.72.2 v1.81.1 minor Direct 3 CRITICAL
github.com/opencontainers/runc v1.2.6 v1.4.3 minor Transitive 9 HIGH
go.opentelemetry.io/otel/sdk v1.35.0 v1.44.0 minor Direct 4 HIGH
github.com/dvsekhvalnov/jose2go v1.6.0 v1.8.0 minor Transitive 3 HIGH
github.com/go-jose/go-jose/v3 v3.0.4 v3.0.5 patch Direct 2 HIGH
github.com/go-jose/go-jose/v4 v4.1.0 v4.1.4 patch Transitive 2 HIGH
github.com/go-git/go-git/v5 v5.14.0 v5.19.1 minor Direct 1 HIGH, 9 MEDIUM, 4 LOW
github.com/go-git/go-billy/v5 v5.6.2 v5.9.0 minor Transitive 1 HIGH, 1 MEDIUM
github.com/microsoft/kiota-http-go v1.5.2 v1.5.6 patch Transitive 1 HIGH
golang.org/x/crypto v0.38.0 v0.53.0 minor Direct 6 MEDIUM, 14 UNKNOWN
github.com/go-viper/mapstructure/v2 v2.1.0 v2.5.0 minor Transitive 5 MEDIUM
golang.org/x/net v0.40.0 v0.56.0 minor Direct 2 MEDIUM, 8 UNKNOWN
github.com/aws/aws-sdk-go v1.55.7 v1.55.8 patch Direct 2 MEDIUM, 2 LOW
filippo.io/edwards25519 v1.1.0 v1.1.1 patch Transitive 3 LOW

Security Details

🚨 Critical & High Severity (30 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/jackc/pgx/v5 GHSA-9jj7-4m8r-rfcm CRITICAL Memory-safety vulnerability in github.com/jackc/pgx/v5. v5.7.4 5.9.0
github.com/jackc/pgx/v5 GO-2026-4771 CRITICAL CVE-2026-33815 in github.com/jackc/pgx v5.7.4 5.9.0
github.com/jackc/pgx/v5 GHSA-xgrm-4fwx-7qm8 CRITICAL pgx contains memory-safety vulnerability v5.7.4 -
github.com/jackc/pgx/v5 GO-2026-4772 CRITICAL CVE-2026-33816 in github.com/jackc/pgx v5.7.4 5.9.0
google.golang.org/grpc GO-2026-4762 critical Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.72.2 1.79.3
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.2 1.79.3
google.golang.org/grpc CVE-2026-33186 critical gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.2 -
github.com/dvsekhvalnov/jose2go CVE-2025-63811 high - v1.6.0 -
github.com/dvsekhvalnov/jose2go GHSA-9mj6-hxhv-w67j HIGH jose2go is vulnerable to a JWT bomb attack through its decode function v1.6.0 1.7.0
github.com/dvsekhvalnov/jose2go GO-2025-4123 high Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token high compression ratio in github.com/dvsekhvalnov/jose2go v1.6.0 1.7.0
github.com/go-git/go-billy/v5 GHSA-qw64-3x98-g7q2 HIGH go-billy has path traversal vulnerabilities v5.6.2 5.9.0
github.com/go-git/go-git/v5 GHSA-389r-gv7p-r3rp HIGH go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git v5.14.0 5.19.0
github.com/go-jose/go-jose/v3 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v3.0.4 3.0.5
github.com/go-jose/go-jose/v3 GO-2026-4945 HIGH Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose v3.0.4 3.0.5
github.com/go-jose/go-jose/v4 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v4.1.0 4.1.4
github.com/go-jose/go-jose/v4 GO-2026-4945 HIGH Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose v4.1.0 4.1.4
github.com/microsoft/kiota-http-go GHSA-7j59-v9qr-6fq9 HIGH Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect v1.5.2 1.5.5
github.com/opencontainers/runc CVE-2025-52881 high runc: LSM labels can be bypassed with malicious config using dummy procfs files v1.2.6 -
github.com/opencontainers/runc GO-2025-4097 HIGH Container escape with malicious config due to /dev/console mount and related races in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc CVE-2025-52565 HIGH container escape due to /dev/console mount and related races v1.2.6 -
github.com/opencontainers/runc GHSA-qw9x-cqr3-wc7r HIGH runc container escape with malicious config due to /dev/console mount and related races v1.2.6 1.2.8
github.com/opencontainers/runc GHSA-cgrx-mc8f-2prm HIGH runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects v1.2.6 1.2.8
github.com/opencontainers/runc GO-2025-4098 high Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc GO-2025-4096 HIGH Container escape via "masked path" abuse due to mount race conditions in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc CVE-2025-31133 HIGH runc container escape via "masked path" abuse due to mount race conditions v1.2.6 -
github.com/opencontainers/runc GHSA-9493-h29p-rfm2 HIGH runc container escape via "masked path" abuse due to mount race conditions v1.2.6 1.2.8
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.35.0 1.43.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.35.0 1.40.0
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.35.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.35.0 1.40.0
ℹ️ Other Vulnerabilities (57)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-git/go-git/v5 CVE-2026-25934 medium go-git improperly verifies data integrity values for .idx and .pack files v5.14.0 -
github.com/go-git/go-git/v5 GO-2026-4473 medium Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git v5.14.0 5.16.5
golang.org/x/crypto GO-2025-4135 medium Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent v0.38.0 0.45.0
golang.org/x/crypto CVE-2025-47914 medium - v0.38.0 -
github.com/aws/aws-sdk-go GHSA-f5pg-7wfw-84q9 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang v1.55.7 1.34.0
github.com/aws/aws-sdk-go GO-2022-0646 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.7 -
github.com/go-git/go-billy/v5 GHSA-m3xc-h892-ggx6 MODERATE go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion v5.6.2 5.9.0
github.com/go-git/go-git/v5 GHSA-3xc5-wrhm-f963 MODERATE go-git: Credential leak via cross-host redirect in smart HTTP transport v5.14.0 5.18.0
github.com/go-git/go-git/v5 GO-2026-4910 MODERATE Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git v5.14.0 5.17.1
github.com/go-git/go-git/v5 GHSA-37cx-329c-33x3 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.14.0 5.16.5
github.com/go-git/go-git/v5 CVE-2026-34165 MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.14.0 -
github.com/go-git/go-git/v5 GHSA-crhj-59gh-8x96 MODERATE go-git: Crafted repositories may modify main and submodule .git directories v5.14.0 5.19.1
github.com/go-git/go-git/v5 GHSA-w5pp-99ch-qj29 MODERATE go-git: Malformed Git object data may cause panics or resource exhaustion v5.14.0 5.19.1
github.com/go-git/go-git/v5 GHSA-jhf3-xxhw-2wpp MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.14.0 5.17.1
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm MODERATE go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.1.0 2.4.0
github.com/go-viper/mapstructure/v2 GHSA-fv92-fjc5-jj9h MODERATE mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.1.0 2.3.0
github.com/go-viper/mapstructure/v2 GO-2025-3900 MODERATE Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure v2.1.0 2.4.0
github.com/go-viper/mapstructure/v2 GO-2025-3787 MODERATE May leak sensitive information in logs when processing malformed data in github.com/go-viper/mapstructure v2.1.0 2.3.0
github.com/go-viper/mapstructure/v2 CVE-2025-11065 MODERATE - v2.1.0 -
golang.org/x/crypto GHSA-f6x5-jh6r-wrfv MODERATE golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read v0.38.0 0.45.0
golang.org/x/crypto GHSA-j5w8-q4qc-rx2x MODERATE golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption v0.38.0 0.45.0
golang.org/x/crypto CVE-2025-58181 MODERATE - v0.38.0 -
golang.org/x/crypto GO-2025-4134 MODERATE Unbounded memory consumption in golang.org/x/crypto/ssh v0.38.0 0.45.0
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.40.0 -
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.40.0 0.45.0
filippo.io/edwards25519 GHSA-fw7p-63qq-7hpr LOW filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity v1.1.0 1.1.1
filippo.io/edwards25519 GO-2026-4503 LOW Invalid result or undefined behavior in filippo.io/edwards25519 v1.1.0 1.1.1
filippo.io/edwards25519 CVE-2026-26958 LOW filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity v1.1.0 -
github.com/aws/aws-sdk-go GO-2022-0635 LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.7 -
github.com/aws/aws-sdk-go GHSA-7f33-f4f5-xwgw LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang v1.55.7 1.34.0
github.com/go-git/go-git/v5 GHSA-m7cr-m3pv-hgrp LOW go-git: Improper single-quote escaping in go-git SSH transport v5.14.0 5.19.1
github.com/go-git/go-git/v5 GHSA-gm2x-2g9h-ccm8 LOW go-git missing validation decoding Index v4 files leads to panic v5.14.0 5.17.1
github.com/go-git/go-git/v5 CVE-2026-33762 low go-git: Missing validation decoding Index v4 files leads to panic v5.14.0 -
github.com/go-git/go-git/v5 GO-2026-4909 low Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git v5.14.0 5.17.1
github.com/jackc/pgx/v5 GHSA-j88v-2chj-qfwx LOW pgx: SQL Injection via placeholder confusion with dollar quoted string literals v5.7.4 5.9.2
golang.org/x/crypto GO-2026-5013 unknown Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5014 unknown Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5006 unknown Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5016 unknown Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5021 unknown Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5017 unknown Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5005 unknown Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5033 unknown Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.38.0 0.52.0
golang.org/x/crypto GO-2025-4116 unknown Potential denial of service in golang.org/x/crypto/ssh/agent v0.38.0 0.43.0
golang.org/x/crypto GO-2026-5023 unknown Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5019 unknown Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5020 unknown Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5018 unknown Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/crypto GO-2026-5015 unknown Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.38.0 0.52.0
golang.org/x/net GO-2026-5028 unknown Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.40.0 0.55.0
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.40.0 0.55.0
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.40.0 0.45.0
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.40.0 0.55.0
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.40.0 0.53.0
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.40.0 0.55.0
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.40.0 0.55.0
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.40.0 0.55.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-official

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Run linters | Setup   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: febf922 | Docs | Datadog PR Page | Give us feedback!

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot deleted the engraver-auto-version-upgrade/minorpatch/go/1-1781532235 branch July 6, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants