Skip to content

Upgrade Go to 1.25.9, fix 24 stdlib vulnerabilities#125

Merged
jbarciabf merged 3 commits into
mainfrom
fix/go-stdlib-vulnerabilities
Apr 13, 2026
Merged

Upgrade Go to 1.25.9, fix 24 stdlib vulnerabilities#125
jbarciabf merged 3 commits into
mainfrom
fix/go-stdlib-vulnerabilities

Conversation

@jbarciabf
Copy link
Copy Markdown
Collaborator

@jbarciabf jbarciabf commented Apr 12, 2026

Upgrades Go from 1.24.2 to 1.25.9, resolving all 24 standard library vulnerabilities flagged by govulncheck.

Vulnerabilities Fixed

  • crypto/tls: GO-2026-4870, GO-2026-4340, GO-2026-4337, GO-2025-4008
  • crypto/x509: GO-2026-4947, GO-2026-4946, GO-2025-4175, GO-2025-4155, GO-2025-4013, GO-2025-4007, GO-2025-3749
  • html/template: GO-2026-4865, GO-2026-4603
  • net/url: GO-2026-4601, GO-2026-4341, GO-2025-4010
  • net/http: GO-2025-4012, GO-2025-3751
  • os: GO-2026-4602
  • os/exec: GO-2025-3956
  • net/textproto: GO-2025-4015
  • net/mail: GO-2025-4006
  • encoding/asn1: GO-2025-4011
  • encoding/pem: GO-2025-4009

Verification

  • govulncheck (binary mode): 0 vulnerabilities after upgrade
  • Build: passes
  • Unit tests: pass (pre-existing resource-trusts panic unrelated to this change)

Version bumped to 2.0.3.

@jbarciabf
Upgrade Go to 1.25.9 and bump version to 2.0.3
8714917 
Fixes 24 standard library vulnerabilities in crypto/tls, crypto/x509,
net/url, net/http, html/template, encoding/asn1, encoding/pem,
net/mail, net/textproto, os, and os/exec.
@jbarciabf
Update opentelemetry-go to v1.43.0 and go-jose to v4.1.4
9e056b2 
Fixes CVE-2026-39883 (PATH hijacking in otel SDK) and
CVE-2026-34986 (panic in JWE decryption in go-jose).
@jbarciabf
Update AWS SDK to fix EventStream decoder panic (GHSA-xmrv-pmrh-hhx2)
146034d 
Updates aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8,
service/s3 to v1.97.3, service/lambda to v1.88.5, and
service/kinesis to v1.43.5.
@jbarciabf jbarciabf merged commit 142757b into main Apr 13, 2026
1 check passed
@jbarciabf jbarciabf added dependencies Pull requests that update a dependency file security bug labels Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bishopfaure bishopfaure Awaiting requested review from bishopfaure bishopfaure is a code owner

@mc-bf mc-bf Awaiting requested review from mc-bf

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jbarciabf