Skip to content

chore(deps): update docker.io/cuelang/cue docker tag to v0.17.1#346

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker.io-cuelang-cue-0.x
Open

chore(deps): update docker.io/cuelang/cue docker tag to v0.17.1#346
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/docker.io-cuelang-cue-0.x

Conversation

@renovate

@renovate renovate Bot commented Dec 1, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change OpenSSF
docker.io/cuelang/cue stage minor 0.13.20.17.1 OpenSSF Scorecard

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

cue-lang/cue (docker.io/cuelang/cue)

v0.17.1

Compare Source

Evaluator

Fix several regressions introduced in v0.17.0: a panic when evaluating some disjunctions (#​4419), and spurious invalid interpolation (#​4420), field not allowed (#​4423), and structural cycle (#​4430) errors involving comprehensions or self references.

Fix two regressions introduced in v0.17.0 where evaluation could hang (#​4421, #​4422), as well as two long-standing hangs on self-referencing configurations (#​2766, #​4231).

cmd/cue

Fix a panic in cue exp gengotypes, a regression introduced in v0.17.0, when a definition references a definition from another package via embedding (#​4436).

Module replacements are now subject to minimum-version selection like any other dependency. cue mod tidy now normalizes a fully-pinned replacement to its major version and records the target as a regular dependency.

Full list of changes since v0.17.0
  • internal/cueversion: bump for v0.17.1 by @​mvdan in fc6c0b2
  • internal/ci: bump pinnedReleaseGo for v0.17.1 by @​mvdan in 9c720d0
  • [release-branch.v0.17] internal/core: resolve import instances back to their build instance by @​mvdan in 8ead2d9
  • [release-branch.v0.17] internal/core/adt: allow chained re-instantiation of inline conjunctions by @​mvdan in f81f772
  • [release-branch.v0.17] cue/testdata/cycle: add regression test for spurious inline cycle by @​mvdan in 993c44e
  • [release-branch.v0.17] internal/core/adt: fix hang on let binding a self-referencing struct by @​mvdan in 1cd5e1f
  • [release-branch.v0.17] internal/core/adt: fix hang on self-feeding cycle advancing depth by @​mvdan in ed51952
  • [release-branch.v0.17] internal/core/adt: defer field-set freeze for a running resolver by @​mvdan in e69e621
  • [release-branch.v0.17] internal/core/adt: defer fieldSetKnown for a running field-adding conjunct by @​mvdan in 459016a
  • [release-branch.v0.17] internal/core/adt: do not defer resolvers during comprehension clauses by @​mvdan in f89ebec
  • [release-branch.v0.17] cue/testdata/comprehensions: test guard-driven premature finalization by @​mvdan in 6176fb5
  • [release-branch.v0.17] internal/core/adt,pkg: bound string, bytes, and list repeat counts by @​mvdan in 3017156
  • [release-branch.v0.17] cue/parser: limit expression nesting depth during parsing by @​mvdan in f6f05bb
  • [release-branch.v0.17] internal/encoding/yaml: limit the size of YAML alias expansion by @​mvdan in 04d57ab
  • [release-branch.v0.17] internal/core/adt: treat cyclic under-resolved values as incomplete scalars by @​mvdan in 63994d5
  • [release-branch.v0.17] cue/testdata/references: test a comprehension dynamic field under a let self by @​mvdan in 0ba71ca
  • [release-branch.v0.17] internal/core/adt: do not reclaim disjunct arc states before merging by @​mvdan in b72d5b4
  • [release-branch.v0.17] internal/core/adt: do not discard recomputed let cycle placeholders by @​mvdan in f82d498
  • [release-branch.v0.17] internal/core/adt: fix hang on dynamic field whose key is under evaluation by @​mvdan in e0b974d
  • [release-branch.v0.17] all: re-run tests with CUE_UPDATE=1 by @​mvdan in 7d5a557
  • [release-branch.v0.17] encoding/jsonschema: avoid panic on non-string element in "required" by @​mvdan in f6bc350

v0.17.0

Compare Source

Changes which may break some users are marked below with: ⚠️

Language

The active try experiment renames the new fallback keyword, used with for comprehensions, to otherwise. fallback continues to be accepted for now, but is rewritten to the new form.

The active aliasv2 experiment now allows ~(X) as an alternative to ~X for the single postfix alias form. ~X is also rewritten as ~(X) for the sake of consistency and clarity.

Language versions v0.17.0 and later allow omitting commas in multi-line lists. Just like a newline after a struct field implies a comma, a newline after a list element now implies a comma as well.

Language versions v0.17.0 and later allow a newline or a comma before the closing bracket of an index expression, matching how lists and func arguments allow omitting trailing commas.

The language spec is tweaked to make $ a valid identifier, which was already allowed by the parser and evaluator.

⚠️ Support for the infix div, mod, quo, and rem operators has been removed. Since late 2020, these infix forms have been undocumented and rewritten by cue fix to the new function calls.

The new shortcircuit experiment

This release introduces the shortcircuit experiment, which changes the && and || operators to not evaluate the right operand if the left operand alone determines the result.

This matches the behavior already documented in the CUE spec and is consistent with most mainstream languages, but for the sake of a smooth transition for end users, we are rolling out this change via an experiment.

You can try this experiment via the @experiment(shortcircuit) file attribute. To mimic the old behavior with the experiment, you can use a hidden field:

_y: Y
if X && _y {}

Evaluator

Comprehensions

The comprehension algorithm now waits to run a comprehension's body until the fields it reads have a concrete value, rather than trying to produce its fields up front. This resolves a number of long-standing bugs, most notably the last known regressions from evalv2, where a comprehension that should have resolved instead failed as an incomplete value or a cycle.

This design also greatly simplifies upcoming evaluator work, such as introducing new builtins to replace comparing values to bottom, as well as the design of evalv4.

Other changes

The evaluator no longer deduplicates errors just by position, which was causing some useful errors from disjunctions or standard library calls to be dropped incorrectly.

Several long-standing cycle-detection bugs have been fixed, such as self-referential uses of matchN and matchIf, self-feeding disjunctions, and comprehensions that read a let binding which refers back to the comprehension's own fields.

Fixed a bug where the same package imported via different qualified import paths (e.g. foo.com/bar@v0 or foo.com/bar:baz) did not share the same hidden field namespace.

Resolving an unversioned import from a dependency module now respects that module's own default major version, instead of always using the main module's default.

Fix a number of issues where cue def could produce invalid CUE output, such as due to name conflicts.

Fix an evaluator regression where embedded disjunctions across packages may not correctly apply closedness.

Fix an evaluator bug where cue.Context.BuildExpr of close({}) did not actually result in a closed struct.

Fix a bug where some calls to standard library functions or validators did not include the "error in call to pkg.Func" error context, or included it twice.

A few changes to the evaluator should reduce allocated objects by up to 16%, reducing GC overhead and memory usage.

To ease the transition into the new formatter we plan to release with v0.18, CUE_EXPERIMENT=formatv2=0 is now allowed as a no-op.

A number of other bugs, panics, and hangs have been resolved as well.

cmd/cue

Module replaces

CUE now supports substituting a module dependency with a local directory or a different remote module during development - for example while testing a fix to a dependency before it is published, or to replace a dependency with a fork including improvements.

This configuration lives in cue.mod/local-module.cue, which is excluded when publishing to registries. cue mod edit and cue mod tidy gain support for maintaining this file.

We have also published a how-to guide on replacing a dependency with a local module.

Read the full design doc in the proposal, or read the cue.mod/local-module.cue reference docs.

Other changes

The new global -C or --chdir flag runs cue from the given working directory.

Command input parsing is improved so that CUE packages can come after data files, such as cue vet -c data.yaml ./schema.

cue import --with-context now ensures that data represents the original raw input data, and not its interpretation like JSON Schema.
cue import --path now skips over null values in an input stream, such as empty documents in a YAML file.

Fix a bug where the flag cue export --path was ignored when the inputs were pure CUE.

The new cue exp gengotypes --outfile flag controls the output file path when generating a single package.

cue vet -d/--schema now supports hidden fields, and correctly reports an error when the command inputs are CUE only.

cue fix and cue trim no longer change file modification times when no changes are necessary.

A $CUE_CACHE_DIR directory is no longer required when loading CUE without external dependencies.

The "filetypes" lookup tables now use a more compact encoding, saving about 150KiB in binary size for cmd/cue as well as Go API users.

LSP server

Add an initial version of organize-imports, which sorts the existing imports and removes unneeded imports. It is not yet capable of suggesting missing imports.

Wait for a short period of inactivity before sending diagnostics to the editor. This "debounce" means that a user typing incomplete CUE syntax will not be distracted with syntax errors as much.

The aliasv2 experiment is now fully supported.

The rename function is fixed to distinguish between field names and aliases.

Improve field name analysis in general so that fields with multiple aliases (e.g. v=[k=string]: _) are properly supported.

Improve attribute handling for file-level embedded attributes, and to attach attributes within expressions to the correct struct.

Treat conjunctions (&) and disjunctions (|) the same way for goto-definition. With the cursor on a path, it returns all results that the path MAY resolve to. With the cursor on a field declaration name, it returns all results that the path constructed from the field's name, and its field's name (and so on) MAY resolve to.

Special-case close function calls so that paths can resolve through fields within the argument to close.

Encodings

⚠️ The experimental JSON Schema encoder now emits most definitions without the leading # character, shortening names and ensuring compatibility with the wider JSON Schema ecosystem. This required deprecating encoding/jsonschema.GenerateConfig.NameFunc in favor of NamesFunc.

The JSON Schema encoder is improved to support list.UniqueItems and standalone validators, to use maxItems and minItems instead of maxLength and minLength for lists with prefix elements, and to generate description keywords for doc comments.

Several closedness bugs in the JSON Schema encoder have been fixed, ensuring that the generated JSON Schema behaves the same way as the original CUE definition.

The JSON Schema decoder is improved to better handle the prefixItems keyword.

The ProtoBuf decoder now resolves relative references following the usual scoping rules, instead of always resolving them against the top-level scope.

Standard library

Add time.ToUnix and time.ToUnixNano, which convert an RFC3339Nano time value into seconds or nanoseconds since the Unix epoch, complementing the existing Unix builtin.

strconv.FormatFloat now accepts a string format parameter, like FormatFloat(3.14, "e", 4, 64).

list.MatchN now shows what expected value it's matching against when it fails.

The net IP APIs now consistently return an error on invalid input types.

Go API

Using cue.Values concurrently is now fully supported, which required deprecating cue.Value.Context. If you encounter any races or bugs, please report them via the issue tracker.

cue/load now supports loading from an io/fs.FS, as outlined in proposal #​4285. Loading file embeds through Config.Overlay and Config.FS is supported now as well.

cue/ast/astutil deprecates Sanitize in favor of the new SanitizeFiles API, given that Sanitize on a single file cannot know if another file in the same package shadows builtin names like self.

Add Path.Compare and Selector.Compare, providing allocation-free total ordering suitable for slices.SortFunc.

Clarify that cue/format indents with a tab width of 4 by default.

A new fuzzer has been introduced in the cue package, checking that the parser doesn't crash and that its results are consistent with the rest of the Go APIs like cue/literal. So far, it has already resulted in seventeen bug fixes.

The cue.Interpreter option API has been deprecated in favor of cue.WithInjection, which is a better name going forward.

⚠️ cue/ast.File.Imports, deprecated in mid 2025 in favor of cue/ast.File.ImportSpecs, is now removed.

⚠️ The long-deprecated and hidden cue.Instance methods Lookup, LookupDef, LookupField, and Fill are now removed.

⚠️ The modconfig.Registry interface is changed to report default major versions, which is required for resolving unversioned imports against each dependency module's own defaults. Clients that implement or wrap the interface will need to update. The new interface is future-proofed for upcoming modules changes.

Full list of changes since v0.16.0

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from Djaytan as a code owner December 1, 2025 01:16
@github-actions

github-actions Bot commented Dec 1, 2025

Copy link
Copy Markdown

Overview

Image reference djaytan/papermc-server:1.21.11 djaytan/papermc-server:test
- digest 5a306e36683d bab40aefc725
- tag 1.21.11 test
- stream latest
- vulnerabilities critical: 6 high: 44 medium: 48 low: 8 unspecified: 5 critical: 4 high: 34 medium: 25 low: 8 unspecified: 3
- platform linux/amd64 linux/amd64
- size 82 MB 148 MB (+66 MB)
- packages 93 178 (+85)
Base Image alpine:3
also known as:
3.23
latest
alpine:3
also known as:
3.23
latest
- vulnerabilities critical: 2 high: 14 medium: 7 low: 3 critical: 2 high: 14 medium: 7 low: 3
Policies (1 improved, 1 worsened, 3 missing data)
Policy Name djaytan/papermc-server:1.21.11 djaytan/papermc-server:test Change Standing
No unapproved base images ⚠️ 1 ❓ No data
Default non-root user No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities ⚠️ 63 ⚠️ 38 -25 Improved
No high-profile vulnerabilities No Change
No outdated base images ❓ No data
SonarQube quality gates passed ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 +2 Worsened
Packages and Vulnerabilities (123 package changes and 30 vulnerability changes)
  • ➕ 95 packages added
  • ➖ 13 packages removed
  • ♾️ 15 packages changed
  • 62 packages unchanged
  • ❗ 11 vulnerabilities added
  • ✔️ 19 vulnerabilities removed
Changes for packages of type apk (9 changes)
Package Version
djaytan/papermc-server:1.21.11
Version
djaytan/papermc-server:test
alpine-base 3.23.3-r0
ca-certificates 20251003-r0
gcc 15.2.0-r2
♾️ libxml2 2.13.9-r1 2.13.9-r0
critical: 0 high: 0 medium: 0 low: 2 unspecified: 1 critical: 0 high: 0 medium: 1 low: 2 unspecified: 1
Added vulnerabilities (1):
  • medium : CVE--2026--6732
ncurses 6.5_p20251123-r0
openssl 3.5.5-r0
critical: 2 high: 13 medium: 5 low: 2
Added vulnerabilities (22):
  • critical : CVE--2026--31789
  • critical : CVE--2026--34182
  • high : CVE--2026--45447
  • high : CVE--2026--7383
  • high : CVE--2026--28387
  • high : CVE--2026--9076
  • high : CVE--2026--45445
  • high : CVE--2026--42764
  • high : CVE--2026--34183
  • high : CVE--2026--34180
  • high : CVE--2026--31790
  • high : CVE--2026--28390
  • high : CVE--2026--28389
  • high : CVE--2026--28388
  • high : CVE--2026--34181
  • medium : CVE--2026--2673
  • medium : CVE--2026--42767
  • medium : CVE--2026--42766
  • medium : CVE--2026--42769
  • medium : CVE--2026--45446
  • low : CVE--2026--42770
  • low : CVE--2026--42768
pax-utils 1.3.8-r2
xz 5.8.2-r0
critical: 0 high: 0 medium: 0 low: 1
Added vulnerabilities (1):
  • low : CVE--2026--34743
♾️ xz-libs 5.8.3-r0 5.8.2-r0
Changes for packages of type generic (2 changes)
Package Version
djaytan/papermc-server:1.21.11
Version
djaytan/papermc-server:test
openjdk 21.0.10
openjdk 21.0.10
Changes for packages of type golang (36 changes)
Package Version
djaytan/papermc-server:1.21.11
Version
djaytan/papermc-server:test
cuelabs.dev/go/oci/ociregistry 0.0.0-20260601085548-328ff8e2c943
cuelabs.dev/go/oci/ociregistry 0.0.0-20250304105642-27e071d2c9b1
♾️ cuelang.org/go 0.13.2 0.17.1
github.com/cenkalti/backoff/v5 5.0.3
github.com/cenkalti/backoff/v5 5.0.3
github.com/cespare/xxhash/v2 2.3.0
github.com/cespare/xxhash/v2 2.3.0
github.com/cockroachdb/apd/v3 3.2.1
github.com/cockroachdb/apd/v3 3.2.3
github.com/coder/websocket 1.8.14
♾️ github.com/emicklei/proto 1.14.0 1.14.3
github.com/grpc-ecosystem/grpc-gateway/v2 2.27.7
github.com/grpc-ecosystem/grpc-gateway/v2 2.27.7
github.com/pelletier/go-toml/v2 2.3.1
github.com/pelletier/go-toml/v2 2.2.4
♾️ github.com/protocolbuffers/txtpbfmt 0.0.0-20250129171521-feedd8250727 0.0.0-20260420112717-c39628bde8b5
♾️ github.com/rogpeppe/go-internal 1.14.1 1.15.0
♾️ github.com/spf13/cobra 1.9.1 1.10.2
♾️ github.com/spf13/pflag 1.0.6 1.0.10
go.opentelemetry.io/contrib/instrumentation/runtime 0.65.0
go.opentelemetry.io/contrib/instrumentation/runtime 0.65.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc 1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc 1.40.0
go.opentelemetry.io/otel/sdk/metric 1.40.0
go.yaml.in/yaml/v3 3.0.4
♾️ golang.org/x/mod 0.24.0 0.37.0
♾️ golang.org/x/net 0.49.0 0.56.0
critical: 1 high: 1 medium: 5 low: 0
Removed vulnerabilities (7):
  • critical : CVE--2026--39821
  • high : CVE--2026--33814
  • medium : CVE--2026--25680
  • medium : CVE--2026--42506
  • medium : CVE--2026--42502
  • medium : CVE--2026--27136
  • medium : CVE--2026--25681
♾️ golang.org/x/oauth2 0.29.0 0.36.0
♾️ golang.org/x/sync 0.13.0 0.21.0
♾️ golang.org/x/text 0.33.0 0.38.0
♾️ golang.org/x/tools 0.32.0 0.45.0
google.golang.org/genproto/googleapis/api 0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc 0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc 0.0.0-20260203192932-546029d2fa20
gopkg.in/yaml.v3 3.0.1
♾️ stdlib 1.25.7 1.26.5
critical: 0 high: 10 medium: 9 low: 1 unspecified: 2
Removed vulnerabilities (22):
  • high : CVE--2026--42504
  • high : CVE--2026--42499
  • high : CVE--2026--39836
  • high : CVE--2026--39820
  • high : CVE--2026--33814
  • high : CVE--2026--33811
  • high : CVE--2026--32283
  • high : CVE--2026--32281
  • high : CVE--2026--32280
  • high : CVE--2026--25679
  • medium : CVE--2026--27145
  • medium : CVE--2026--32282
  • medium : CVE--2026--39826
  • medium : CVE--2026--39823
  • medium : CVE--2026--32289
  • medium : CVE--2026--27142
  • medium : CVE--2026--32288
  • medium : CVE--2026--42507
  • medium : CVE--2026--39825
  • low : CVE--2026--27139
  • unspecified : CVE--2026--42505
  • unspecified : CVE--2026--39822
Changes for packages of type maven (76 changes)
Package Version
djaytan/papermc-server:1.21.11
Version
djaytan/papermc-server:test
AutoRenamingTool/AutoRenamingTool 2.0.3
ansi/ansi 1.1.1
asm-utils/asm-utils 0.0.3
cli-utils/cli-utils 2.1.4
com.google.errorprone/error_prone_annotations 2.41.0
com.google.guava/listenablefuture 9999.0-empty-to-avoid-conflict-with-guava
com.google.j2objc/j2objc-annotations 3.1
com.google.protobuf/protobuf-java 4.29.0
com.googlecode.json-simple/json-simple 1.1.1
com.lmax.disruptor/disruptor 3.4.4
com.mysql/mysql-connector-j 9.2.0
commons-codec/commons-codec 1.16.0
commons-lang/commons-lang 2.6
critical: 0 high: 0 medium: 1 low: 0
Added vulnerabilities (1):
  • medium : CVE--2025--48924
concurrentutil/concurrentutil 0.0.8
examination-api/examination-api 1.3.0
examination-string/examination-string 1.3.0
gson-io/gson-io 2.0.17
io.leangen.geantyref/geantyref 1.3.16
io.netty/netty-codec-haproxy 4.2.7.Final
critical: 0 high: 2 medium: 0 low: 0
Added vulnerabilities (2):
  • high : CVE--2026--48059
  • high : CVE--2026--44893
io.papermc.paperclip.Main/papermc-server 1.21.11-69
io.sigpipe/jbsdiff 1.0
net.kyori.adventure.key/adventure-key 4.25.0
net.kyori.adventure.text.logger.slf4j/adventure-text-logger-slf4j 4.25.0
net.kyori.adventure.text.minimessage/adventure-text-minimessage 4.25.0
net.kyori.adventure.text.serializer.ansi/adventure-text-serializer-ansi 4.25.0
net.kyori.adventure.text.serializer.constant/adventure-text-serializer-commons 4.25.0
net.kyori.adventure.text.serializer.gson/adventure-text-serializer-gson 4.25.0
net.kyori.adventure.text.serializer.json/adventure-text-serializer-json 4.25.0
net.kyori.adventure.text.serializer.legacy/adventure-text-serializer-legacy 4.25.0
net.kyori.adventure.text.serializer.plain/adventure-text-serializer-plain 4.25.0
net.kyori.adventure/adventure-api 4.25.0
net.md-5/bungeecord-chat 1.21-R0.2
net.minecrell.terminalconsole/terminalconsoleappender 1.3.0
option/option 1.1.0
org.apache.commons/commons-compress 1.5
critical: 0 high: 4 medium: 1 low: 0
Added vulnerabilities (5):
  • high : CVE--2021--36090
  • high : CVE--2021--35517
  • high : CVE--2021--35516
  • high : CVE--2021--35515
  • medium : CVE--2024--25710
org.apache.httpcomponents/httpclient 4.5.14
org.apache.httpcomponents/httpcore 4.4.16
org.apache.logging.log4j/log4j-iostreams 2.24.1
org.apache.maven.resolver/maven-resolver-api 1.9.18
org.apache.maven.resolver/maven-resolver-connector-basic 1.9.18
org.apache.maven.resolver/maven-resolver-impl 1.9.18
org.apache.maven.resolver/maven-resolver-named-locks 1.9.18
org.apache.maven.resolver/maven-resolver-spi 1.9.18
org.apache.maven.resolver/maven-resolver-transport-http 1.9.18
org.apache.maven.resolver/maven-resolver-util 1.9.18
org.apache.maven/maven-artifact 3.9.6
org.apache.maven/maven-builder-support 3.9.6
org.apache.maven/maven-model 3.9.6
org.apache.maven/maven-model-builder 3.9.6
org.apache.maven/maven-repository-metadata 3.9.6
org.apache.maven/maven-resolver-provider 3.9.6
org.bukkit/paper-api 1.21.11-R0.1-SNAPSHOT
org.codehaus.plexus/plexus-interpolation 1.26
org.codehaus.plexus/plexus-utils 3.5.1
critical: 0 high: 1 medium: 0 low: 0
Added vulnerabilities (1):
  • high : CVE--2025--67030
org.eclipse.sisu/org.eclipse.sisu.inject 0.9.0.M2
org.jline/jline-native 3.27.1
org.jline/jline-reader 3.20.0
org.jline/jline-terminal 3.27.1
org.jline/jline-terminal-ffm 3.27.1
org.jline/jline-terminal-jni 3.27.1
org.objectweb.asm.commons/asm-commons 9.8
org.objectweb.asm.tree/asm-tree 9.8
org.objectweb.asm/asm 9.8
org.slf4j/jcl-over-slf4j 1.7.36
org.spongepowered.configurate.yaml/configurate-yaml 4.2.0
org.spongepowered.configurate/configurate-core 4.2.0
org.xerial/sqlite-jdbc 3.49.1.0
org.yaml/snakeyaml 2.2
reflection-rewriter-proxy-generator/reflection-rewriter-proxy-generator 0.0.3
reflection-rewriter-runtime/reflection-rewriter-runtime 0.0.3
reflection-rewriter/reflection-rewriter 0.0.3
spark-api/spark-api 0.1-20240720.200737-2
spark-paper/spark-paper 1.10.152
spec/spec 2.0.17
srgutils/srgutils 1.0.9
velocity-native/velocity-native 3.4.0-SNAPSHOT

@github-actions

github-actions Bot commented Dec 1, 2025

Copy link
Copy Markdown

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test
digestsha256:bab40aefc7258de79ce680d79d8a08de79e8770961a9228dfaeb16ce56429e20
vulnerabilitiescritical: 4 high: 34 medium: 25 low: 8 unspecified: 3
platformlinux/amd64
size148 MB
packages178
📦 Base Image alpine:3
also known as
  • 3.23
  • 3.23.3
  • latest
digestsha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95
vulnerabilitiescritical: 2 high: 14 medium: 7 low: 3
critical: 2 high: 13 medium: 5 low: 2 openssl 3.5.5-r0 (apk)

pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.23

critical : CVE--2026--31789

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score0.225%
EPSS Percentile13th percentile
Description

critical : CVE--2026--34182

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.237%
EPSS Percentile15th percentile
Description

high : CVE--2026--45447

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score2.719%
EPSS Percentile84th percentile
Description

high : CVE--2026--7383

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.358%
EPSS Percentile28th percentile
Description

high : CVE--2026--28387

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score0.755%
EPSS Percentile51st percentile
Description

high : CVE--2026--9076

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.297%
EPSS Percentile22nd percentile
Description

high : CVE--2026--45445

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.320%
EPSS Percentile24th percentile
Description

high : CVE--2026--42764

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.684%
EPSS Percentile48th percentile
Description

high : CVE--2026--34183

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.511%
EPSS Percentile40th percentile
Description

high : CVE--2026--34180

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.513%
EPSS Percentile40th percentile
Description

high : CVE--2026--31790

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score0.981%
EPSS Percentile58th percentile
Description

high : CVE--2026--28390

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score0.805%
EPSS Percentile53rd percentile
Description

high : CVE--2026--28389

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score1.027%
EPSS Percentile60th percentile
Description

high : CVE--2026--28388

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score1.059%
EPSS Percentile61st percentile
Description

high : CVE--2026--34181

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.196%
EPSS Percentile9th percentile
Description

medium : CVE--2026--2673

Affected range<3.5.6-r0
Fixed version3.5.6-r0
EPSS Score0.435%
EPSS Percentile35th percentile
Description

medium : CVE--2026--42767

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.349%
EPSS Percentile27th percentile
Description

medium : CVE--2026--42766

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.595%
EPSS Percentile44th percentile
Description

medium : CVE--2026--42769

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.262%
EPSS Percentile18th percentile
Description

medium : CVE--2026--45446

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

low : CVE--2026--42770

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.259%
EPSS Percentile17th percentile
Description

low : CVE--2026--42768

Affected range<3.5.7-r0
Fixed version3.5.7-r0
EPSS Score0.350%
EPSS Percentile27th percentile
Description
critical: 1 high: 1 medium: 5 low: 0 golang.org/x/net 0.49.0 (golang)

pkg:golang/golang.org/x/net@0.49.0

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.478%
EPSS Percentile38th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
EPSS Score0.781%
EPSS Percentile52nd percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

medium 6.5: CVE--2026--25680 Uncontrolled Resource Consumption

Affected range<0.55.0
Fixed version0.55.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score0.248%
EPSS Percentile16th percentile
Description

In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile7th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile7th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile7th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.78.0 (golang)

pkg:golang/google.golang.org/grpc@1.78.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.522%
EPSS Percentile41st percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 10 medium: 9 low: 1 unspecified: 2stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile43rd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

high : CVE--2026--42499

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.798%
EPSS Percentile52nd percentile
Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

high : CVE--2026--39836

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile44th percentile
Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

high : CVE--2026--39820

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.784%
EPSS Percentile52nd percentile
Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

high : CVE--2026--33814

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.781%
EPSS Percentile52nd percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

high : CVE--2026--33811

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.813%
EPSS Percentile53rd percentile
Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

high : CVE--2026--32283

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.621%
EPSS Percentile46th percentile
Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

high : CVE--2026--32281

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.349%
EPSS Percentile27th percentile
Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

high : CVE--2026--32280

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.615%
EPSS Percentile45th percentile
Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

high : CVE--2026--25679

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.520%
EPSS Percentile41st percentile
Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.939%
EPSS Percentile57th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--32282

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.292%
EPSS Percentile21st percentile
Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

medium : CVE--2026--39826

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.371%
EPSS Percentile29th percentile
Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

medium : CVE--2026--39823

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.314%
EPSS Percentile23rd percentile
Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

medium : CVE--2026--32289

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

medium : CVE--2026--27142

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.328%
EPSS Percentile25th percentile
Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

medium : CVE--2026--32288

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

medium : CVE--2026--39825

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.390%
EPSS Percentile31st percentile
Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

low : CVE--2026--27139

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.201%
EPSS Percentile10th percentile
Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

unspecified : CVE--2026--42505

Affected range<1.25.12
Fixed version1.25.12
EPSS Score0.413%
EPSS Percentile33rd percentile
Description

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

unspecified : CVE--2026--39822

Affected range<1.25.12
Fixed version1.25.12
EPSS Score0.183%
EPSS Percentile8th percentile
Description

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.

For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

critical: 0 high: 4 medium: 1 low: 0 org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/commons-compress@1.5

high 7.5: CVE--2021--36090 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score12.945%
EPSS Percentile96th percentile
Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

high 7.5: CVE--2021--35517 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score10.614%
EPSS Percentile95th percentile
Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

high 7.5: CVE--2021--35516 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score12.365%
EPSS Percentile96th percentile
Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

high 7.5: CVE--2021--35515 Excessive Iteration

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score11.567%
EPSS Percentile96th percentile
Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

medium 5.9: CVE--2024--25710 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range>=1.3
<1.26.0
Fixed version1.26.0
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score0.441%
EPSS Percentile36th percentile
Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

critical: 0 high: 2 medium: 0 low: 0 io.netty/netty-codec-haproxy 4.2.7.Final (maven)

pkg:maven/io.netty/netty-codec-haproxy@4.2.7.Final

high 8.7: CVE--2026--48059 Improper Validation of Syntactic Correctness of Input

Affected range>=4.2.0.Final
<=4.2.14.Final
Fixed version4.2.15.Final
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.606%
EPSS Percentile45th percentile
Description

Impact

The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.

high 7.5: CVE--2026--44893 Improper Check or Handling of Exceptional Conditions

Affected range>=4.2.0.Final
<=4.2.14.Final
Fixed version4.2.15.Final
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.594%
EPSS Percentile44th percentile
Description

When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls header.retainedSlice(header.readerIndex(), length) and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.

critical: 0 high: 1 medium: 1 low: 0 musl 1.2.5-r21 (apk)

pkg:apk/alpine/musl@1.2.5-r21?os_name=alpine&os_version=3.23

high : CVE--2026--40200

Affected range<1.2.5-r23
Fixed version1.2.5-r23
EPSS Score0.128%
EPSS Percentile3rd percentile
Description

medium : CVE--2026--6042

Affected range<1.2.5-r22
Fixed version1.2.5-r22
EPSS Score0.227%
EPSS Percentile13th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 go.opentelemetry.io/otel/sdk 1.40.0 (golang)

pkg:golang/go.opentelemetry.io/otel/sdk@1.40.0

high 7.3: CVE--2026--39883 Untrusted Search Path

Affected range>=1.15.0
<=1.42.0
Fixed version1.43.0
CVSS Score7.3
CVSS VectorCVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score0.220%
EPSS Percentile12th percentile
Description

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

critical: 0 high: 1 medium: 0 low: 0 go.opentelemetry.io/otel 1.40.0 (golang)

pkg:golang/go.opentelemetry.io/otel@1.40.0

high 7.5: CVE--2026--29181 Uncontrolled Resource Consumption

Affected range>=1.36.0
<=1.40.0
Fixed version1.41.0
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.435%
EPSS Percentile35th percentile
Description

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

critical: 0 high: 1 medium: 0 low: 0 org.codehaus.plexus/plexus-utils 3.5.1 (maven)

pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1

high : CVE--2025--67030 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<3.6.1
Fixed version4.0.3
EPSS Score0.663%
EPSS Percentile48th percentile
Description

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

critical: 0 high: 0 medium: 1 low: 2 unspecified: 1libxml2 2.13.9-r0 (apk)

pkg:apk/alpine/libxml2@2.13.9-r0?os_name=alpine&os_version=3.23

medium : CVE--2026--6732

Affected range<2.13.9-r1
Fixed version2.13.9-r1
EPSS Score0.632%
EPSS Percentile46th percentile
Description

low : CVE--2026--0989

Affected range<=2.13.9-r0
Fixed versionNot Fixed
EPSS Score0.419%
EPSS Percentile34th percentile
Description

low : CVE--2025--8732

Affected range<=2.13.9-r0
Fixed versionNot Fixed
EPSS Score0.202%
EPSS Percentile10th percentile
Description

unspecified : CVE--2026--11979

Affected range<=2.13.9-r0
Fixed versionNot Fixed
EPSS Score0.148%
EPSS Percentile4th percentile
Description
critical: 0 high: 0 medium: 1 low: 1 zlib 1.3.1-r2 (apk)

pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23

medium : CVE--2026--22184

Affected range<1.3.2-r0
Fixed version1.3.2-r0
EPSS Score0.381%
EPSS Percentile30th percentile
Description

low : CVE--2026--27171

Affected range<1.3.2-r0
Fixed version1.3.2-r0
EPSS Score0.204%
EPSS Percentile10th percentile
Description
critical: 0 high: 0 medium: 1 low: 0 busybox 1.37.0-r30 (apk)

pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23

medium : CVE--2025--60876

Affected range<=1.37.0-r30
Fixed versionNot Fixed
EPSS Score0.285%
EPSS Percentile20th percentile
Description
critical: 0 high: 0 medium: 1 low: 0 commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/commons-lang@2.6

medium 6.5: CVE--2025--48924 Uncontrolled Recursion

Affected range>=2.0
<=2.6
Fixed versionNot Fixed
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score2.164%
EPSS Percentile80th percentile
Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

critical: 0 high: 0 medium: 0 low: 1 golang.org/x/sys 0.41.0 (golang)

pkg:golang/golang.org/x/sys@0.41.0

low : CVE--2026--39824

Affected range<0.44.0
Fixed version0.44.0
EPSS Score0.114%
EPSS Percentile2nd percentile
Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

critical: 0 high: 0 medium: 0 low: 1 xz 5.8.2-r0 (apk)

pkg:apk/alpine/xz@5.8.2-r0?os_name=alpine&os_version=3.23

low : CVE--2026--34743

Affected range<5.8.3-r0
Fixed version5.8.3-r0
EPSS Score0.351%
EPSS Percentile27th percentile
Description

@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from d261a73 to 1e3bed5 Compare December 30, 2025 14:01
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.1 chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3 Dec 30, 2025
@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 1e3bed5 to 1ea5d94 Compare January 27, 2026 17:36
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3 chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4 Jan 27, 2026
@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 1ea5d94 to 22972e7 Compare February 15, 2026 17:06
@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 22972e7 to f9bac18 Compare March 3, 2026 18:42
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4 chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0 Mar 3, 2026
@sonarqubecloud

sonarqubecloud Bot commented Mar 3, 2026

Copy link
Copy Markdown

@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from f9bac18 to 4d575dd Compare April 8, 2026 18:10
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0 chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1 Apr 8, 2026
@sonarqubecloud

sonarqubecloud Bot commented Apr 8, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
E Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 4d575dd to 4fe60fb Compare June 29, 2026 19:59
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1 chore(deps): update docker.io/cuelang/cue docker tag to v0.17.0 Jun 29, 2026
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
E Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate
renovate Bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 4fe60fb to 0374e30 Compare July 16, 2026 10:16
@renovate renovate Bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.17.0 chore(deps): update docker.io/cuelang/cue docker tag to v0.17.1 Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants