Skip to content

Bump Golang to 1.24.9 and other modules for CVE fixes #1097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Bump Golang to 1.24.9 and other modules for CVE fixes #1097

wants to merge 4 commits into from

Conversation

@sameerkhan-maker
Copy link

@sameerkhan-maker sameerkhan-maker commented Nov 20, 2025

What this PR does / why we need it:

Bump Golang to 1.24.9 and other modules for CVE fixes

Which issue(s) this PR fixes:

Fixes following CVEs :

┌─────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │  Status  │ Installed Version │          Fixed Version           │                            Title                             │
├─────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22870 │ MEDIUM   │ fixed    │ v0.34.0           │ 0.36.0                           │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                     │                │          │          │                   │                                  │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22872 │          │          │                   │ 0.38.0                           │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                     │                │          │          │                   │                                  │ During Web Page Generation in x/net in...                    │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├─────────────────────┼────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │          │ v0.21.0           │ 0.27.0                           │ golang.org/x/oauth2/jws: Unexpected memory consumption       │
│                     │                │          │          │                   │                                  │ during token parsing in golang.org/x/oauth2/jws              │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22868                   │
├─────────────────────┼────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes   │ CVE-2024-9042  │ MEDIUM   │          │ v1.31.2           │ 1.29.13, 1.30.9, 1.31.5, 1.32.1  │ kubelet: Command Injection affecting Windows nodes via       │
│                     │                │          │          │                   │                                  │ nodes/*/logs/query API                                       │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-9042                    │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-0426  │          │          │                   │ 1.32.2, 1.31.6, 1.30.10, 1.29.14 │ k8s.io/kubernetes: kubelet: node denial of service via       │
│                     │                │          │          │                   │                                  │ kubelet checkpoint API                                       │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-0426                    │
│                     ├────────────────┤          ├──────────┤                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-5187  │          │ fixed    │                   │ 1.31.12, 1.32.8, 1.33.4          │ kubernetes: kube-apiserver: Nodes can delete themselves by   │
│                     │                │          │          │                   │                                  │ adding an OwnerReference                                     │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-5187                    │
├─────────────────────┼────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-47907 │ HIGH     │          │ v1.23.3           │ 1.23.12, 1.24.6                  │ database/sql: Postgres Scan Race Condition                   │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-47907                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58183 │          │          │                   │ 1.24.8, 1.25.2                   │ golang: archive/tar: Unbounded allocation when parsing GNU   │
│                     │                │          │          │                   │                                  │ sparse map                                                   │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58183                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58186 │          │          │                   │                                  │ Despite HTTP headers having a default limit of 1MB, the      │
│                     │                │          │          │                   │                                  │ number of...                                                 │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58186                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58187 │          │          │                   │ 1.24.9, 1.25.3                   │ Due to the design of the name constraint checking algorithm, │
│                     │                │          │          │                   │                                  │ the proce...                                                 │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58187                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58188 │          │          │                   │ 1.24.8, 1.25.2                   │ Validating certificate chains which contain DSA public keys  │
│                     │                │          │          │                   │                                  │ can cause ......                                             │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58188                   │
│                     ├────────────────┼──────────┤          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-45336 │ MEDIUM   │          │                   │ 1.22.11, 1.23.5, 1.24.0-rc.2     │ golang: net/http: net/http: sensitive headers incorrectly    │
│                     │                │          │          │                   │                                  │ sent after cross-domain redirect                             │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-45341 │          │          │                   │                                  │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                     │                │          │          │                   │                                  │ bypass URI name...                                           │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-0913  │          │          │                   │ 1.23.10, 1.24.4                  │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                     │                │          │          │                   │                                  │ in os in syscall...                                          │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22866 │          │          │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3     │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                     │                │          │          │                   │                                  │ on ppc64le in crypto/internal/nistec                         │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22871 │          │          │                   │ 1.23.8, 1.24.2                   │ net/http: Request smuggling due to acceptance of invalid     │
│                     │                │          │          │                   │                                  │ chunked data in net/http...                                  │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-4673  │          │          │                   │ 1.23.10, 1.24.4                  │ net/http: Sensitive headers not cleared on cross-origin      │
│                     │                │          │          │                   │                                  │ redirect in net/http                                         │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-47906 │          │          │                   │ 1.23.12, 1.24.6                  │ os/exec: Unexpected paths returned from LookPath in os/exec  │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-47906                   │
│                     ├────────────────┤          │          │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-47912 │          │          │                   │ 1.24.8, 1.25.2                   │ net/url: Insufficient validation of bracketed IPv6 hostnames │
│                     │                │          │          │                   │                                  │ in net/url                                                   │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-47912                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58185 │          │          │                   │                                  │ encoding/asn1: Parsing DER payload can cause memory          │
│                     │                │          │          │                   │                                  │ exhaustion in encoding/asn1                                  │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58185                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58189 │          │          │                   │                                  │ crypto/tls: go crypto/tls ALPN negotiation error contains    │
│                     │                │          │          │                   │                                  │ attacker controlled information                              │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-58189                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61723 │          │          │                   │                                  │ encoding/pem: Quadratic complexity when parsing some invalid │
│                     │                │          │          │                   │                                  │ inputs in encoding/pem                                       │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-61723                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61724 │          │          │                   │                                  │ net/textproto: Excessive CPU consumption in                  │
│                     │                │          │          │                   │                                  │ Reader.ReadResponse in net/textproto                         │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-61724                   │
│                     ├────────────────┤          │          │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61725 │          │          │                   │                                  │ net/mail: Excessive CPU consumption in ParseAddress in       │
│                     │                │          │          │                   │                                  │ net/mail                                                     │
│                     │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-61725                   │
└─────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Does this PR introduce a user-facing change?

Additional Notes for your reviewer:

Review Checklist:
  • Follows the developer guidelines
  • Relevant tests are added or updated
  • Relevant docs in this repo added or updated
  • Relevant carvel.dev docs added or updated in a separate PR and there's
    a link to that PR
  • Code is at least as readable and maintainable as it was before this
    change

Additional documentation e.g., Proposal, usage docs, etc.:

@sameerkhan-maker sameerkhan-maker changed the title Bump go libraries CVE fix Bump Golang to 1.24.9 and other modules for CVE fixes Nov 20, 2025
@sameerkhan-maker sameerkhan-maker mentioned this pull request Nov 20, 2025
Closed
5 tasks
@sameerkhan-maker sameerkhan-maker force-pushed the bump-go-libraries-cve-fix branch 2 times, most recently from af8c2f2 to 5e592cb Compare November 20, 2025 10:03
@sameerkhan-maker sameerkhan-maker force-pushed the bump-go-libraries-cve-fix branch from 5e592cb to 7e66601 Compare November 20, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sameerkhan-maker