You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix several regressions introduced in v0.17.0: a panic when evaluating some disjunctions (#4419), and spurious invalid interpolation (#4420), field not allowed (#4423), and structural cycle (#4430) errors involving comprehensions or self references.
Fix two regressions introduced in v0.17.0 where evaluation could hang (#4421, #4422), as well as two long-standing hangs on self-referencing configurations (#2766, #4231).
cmd/cue
Fix a panic in cue exp gengotypes, a regression introduced in v0.17.0, when a definition references a definition from another package via embedding (#4436).
Module replacements are now subject to minimum-version selection like any other dependency. cue mod tidy now normalizes a fully-pinned replacement to its major version and records the target as a regular dependency.
Full list of changes since v0.17.0
internal/cueversion: bump for v0.17.1 by @mvdan in fc6c0b2
internal/ci: bump pinnedReleaseGo for v0.17.1 by @mvdan in 9c720d0
[release-branch.v0.17] internal/core: resolve import instances back to their build instance by @mvdan in 8ead2d9
[release-branch.v0.17] internal/core/adt: allow chained re-instantiation of inline conjunctions by @mvdan in f81f772
[release-branch.v0.17] cue/testdata/cycle: add regression test for spurious inline cycle by @mvdan in 993c44e
[release-branch.v0.17] internal/core/adt: fix hang on let binding a self-referencing struct by @mvdan in 1cd5e1f
[release-branch.v0.17] internal/core/adt: fix hang on self-feeding cycle advancing depth by @mvdan in ed51952
[release-branch.v0.17] internal/core/adt: defer field-set freeze for a running resolver by @mvdan in e69e621
[release-branch.v0.17] internal/core/adt: defer fieldSetKnown for a running field-adding conjunct by @mvdan in 459016a
[release-branch.v0.17] internal/core/adt: do not defer resolvers during comprehension clauses by @mvdan in f89ebec
[release-branch.v0.17] cue/testdata/comprehensions: test guard-driven premature finalization by @mvdan in 6176fb5
[release-branch.v0.17] internal/core/adt,pkg: bound string, bytes, and list repeat counts by @mvdan in 3017156
[release-branch.v0.17] cue/parser: limit expression nesting depth during parsing by @mvdan in f6f05bb
[release-branch.v0.17] internal/encoding/yaml: limit the size of YAML alias expansion by @mvdan in 04d57ab
[release-branch.v0.17] internal/core/adt: treat cyclic under-resolved values as incomplete scalars by @mvdan in 63994d5
[release-branch.v0.17] cue/testdata/references: test a comprehension dynamic field under a let self by @mvdan in 0ba71ca
[release-branch.v0.17] internal/core/adt: do not reclaim disjunct arc states before merging by @mvdan in b72d5b4
[release-branch.v0.17] internal/core/adt: do not discard recomputed let cycle placeholders by @mvdan in f82d498
[release-branch.v0.17] internal/core/adt: fix hang on dynamic field whose key is under evaluation by @mvdan in e0b974d
[release-branch.v0.17] all: re-run tests with CUE_UPDATE=1 by @mvdan in 7d5a557
[release-branch.v0.17] encoding/jsonschema: avoid panic on non-string element in "required" by @mvdan in f6bc350
Changes which may break some users are marked below with: ⚠️
Language
The active try experiment renames the new fallback keyword, used with for comprehensions, to otherwise. fallback continues to be accepted for now, but is rewritten to the new form.
The active aliasv2 experiment now allows ~(X) as an alternative to ~X for the single postfix alias form. ~X is also rewritten as ~(X) for the sake of consistency and clarity.
Language versions v0.17.0 and later allow omitting commas in multi-line lists. Just like a newline after a struct field implies a comma, a newline after a list element now implies a comma as well.
Language versions v0.17.0 and later allow a newline or a comma before the closing bracket of an index expression, matching how lists and func arguments allow omitting trailing commas.
The language spec is tweaked to make $ a valid identifier, which was already allowed by the parser and evaluator.
⚠️ Support for the infix div, mod, quo, and rem operators has been removed. Since late 2020, these infix forms have been undocumented and rewritten by cue fix to the new function calls.
The new shortcircuit experiment
This release introduces the shortcircuit experiment, which changes the && and || operators to not evaluate the right operand if the left operand alone determines the result.
This matches the behavior already documented in the CUE spec and is consistent with most mainstream languages, but for the sake of a smooth transition for end users, we are rolling out this change via an experiment.
You can try this experiment via the @experiment(shortcircuit) file attribute. To mimic the old behavior with the experiment, you can use a hidden field:
_y: YifX&&_y {}
Evaluator
Comprehensions
The comprehension algorithm now waits to run a comprehension's body until the fields it reads have a concrete value, rather than trying to produce its fields up front. This resolves a number of long-standing bugs, most notably the last known regressions from evalv2, where a comprehension that should have resolved instead failed as an incomplete value or a cycle.
This design also greatly simplifies upcoming evaluator work, such as introducing new builtins to replace comparing values to bottom, as well as the design of evalv4.
Other changes
The evaluator no longer deduplicates errors just by position, which was causing some useful errors from disjunctions or standard library calls to be dropped incorrectly.
Several long-standing cycle-detection bugs have been fixed, such as self-referential uses of matchN and matchIf, self-feeding disjunctions, and comprehensions that read a let binding which refers back to the comprehension's own fields.
Fixed a bug where the same package imported via different qualified import paths (e.g. foo.com/bar@v0 or foo.com/bar:baz) did not share the same hidden field namespace.
Resolving an unversioned import from a dependency module now respects that module's own default major version, instead of always using the main module's default.
Fix a number of issues where cue def could produce invalid CUE output, such as due to name conflicts.
Fix an evaluator regression where embedded disjunctions across packages may not correctly apply closedness.
Fix an evaluator bug where cue.Context.BuildExpr of close({}) did not actually result in a closed struct.
Fix a bug where some calls to standard library functions or validators did not include the "error in call to pkg.Func" error context, or included it twice.
A few changes to the evaluator should reduce allocated objects by up to 16%, reducing GC overhead and memory usage.
To ease the transition into the new formatter we plan to release with v0.18, CUE_EXPERIMENT=formatv2=0 is now allowed as a no-op.
A number of other bugs, panics, and hangs have been resolved as well.
cmd/cue
Module replaces
CUE now supports substituting a module dependency with a local directory or a different remote module during development - for example while testing a fix to a dependency before it is published, or to replace a dependency with a fork including improvements.
This configuration lives in cue.mod/local-module.cue, which is excluded when publishing to registries. cue mod edit and cue mod tidy gain support for maintaining this file.
The new global -C or --chdir flag runs cue from the given working directory.
Command input parsing is improved so that CUE packages can come after data files, such as cue vet -c data.yaml ./schema.
cue import --with-context now ensures that data represents the original raw input data, and not its interpretation like JSON Schema. cue import --path now skips over null values in an input stream, such as empty documents in a YAML file.
Fix a bug where the flag cue export --path was ignored when the inputs were pure CUE.
The new cue exp gengotypes --outfile flag controls the output file path when generating a single package.
cue vet -d/--schema now supports hidden fields, and correctly reports an error when the command inputs are CUE only.
cue fix and cue trim no longer change file modification times when no changes are necessary.
A $CUE_CACHE_DIR directory is no longer required when loading CUE without external dependencies.
The "filetypes" lookup tables now use a more compact encoding, saving about 150KiB in binary size for cmd/cue as well as Go API users.
LSP server
Add an initial version of organize-imports, which sorts the existing imports and removes unneeded imports. It is not yet capable of suggesting missing imports.
Wait for a short period of inactivity before sending diagnostics to the editor. This "debounce" means that a user typing incomplete CUE syntax will not be distracted with syntax errors as much.
The aliasv2 experiment is now fully supported.
The rename function is fixed to distinguish between field names and aliases.
Improve field name analysis in general so that fields with multiple aliases (e.g. v=[k=string]: _) are properly supported.
Improve attribute handling for file-level embedded attributes, and to attach attributes within expressions to the correct struct.
Treat conjunctions (&) and disjunctions (|) the same way for goto-definition. With the cursor on a path, it returns all results that the path MAY resolve to. With the cursor on a field declaration name, it returns all results that the path constructed from the field's name, and its field's name (and so on) MAY resolve to.
Special-case close function calls so that paths can resolve through fields within the argument to close.
Encodings
⚠️ The experimental JSON Schema encoder now emits most definitions without the leading # character, shortening names and ensuring compatibility with the wider JSON Schema ecosystem. This required deprecating encoding/jsonschema.GenerateConfig.NameFunc in favor of NamesFunc.
The JSON Schema encoder is improved to support list.UniqueItems and standalone validators, to use maxItems and minItems instead of maxLength and minLength for lists with prefix elements, and to generate description keywords for doc comments.
Several closedness bugs in the JSON Schema encoder have been fixed, ensuring that the generated JSON Schema behaves the same way as the original CUE definition.
The JSON Schema decoder is improved to better handle the prefixItems keyword.
The ProtoBuf decoder now resolves relative references following the usual scoping rules, instead of always resolving them against the top-level scope.
Standard library
Add time.ToUnix and time.ToUnixNano, which convert an RFC3339Nano time value into seconds or nanoseconds since the Unix epoch, complementing the existing Unix builtin.
strconv.FormatFloat now accepts a string format parameter, like FormatFloat(3.14, "e", 4, 64).
list.MatchN now shows what expected value it's matching against when it fails.
The net IP APIs now consistently return an error on invalid input types.
Go API
Using cue.Values concurrently is now fully supported, which required deprecating cue.Value.Context. If you encounter any races or bugs, please report them via the issue tracker.
cue/load now supports loading from an io/fs.FS, as outlined in proposal #4285. Loading file embeds through Config.Overlay and Config.FS is supported now as well.
cue/ast/astutil deprecates Sanitize in favor of the new SanitizeFiles API, given that Sanitize on a single file cannot know if another file in the same package shadows builtin names like self.
Clarify that cue/format indents with a tab width of 4 by default.
A new fuzzer has been introduced in the cue package, checking that the parser doesn't crash and that its results are consistent with the rest of the Go APIs like cue/literal. So far, it has already resulted in seventeen bug fixes.
The cue.Interpreter option API has been deprecated in favor of cue.WithInjection, which is a better name going forward.
⚠️cue/ast.File.Imports, deprecated in mid 2025 in favor of cue/ast.File.ImportSpecs, is now removed.
⚠️ The long-deprecated and hidden cue.Instance methods Lookup, LookupDef, LookupField, and Fill are now removed.
⚠️ The modconfig.Registry interface is changed to report default major versions, which is required for resolving unversioned imports against each dependency module's own defaults. Clients that implement or wrap the interface will need to update. The new interface is future-proofed for upcoming modules changes.
Full list of changes since v0.16.0
[release-branch.v0.17] internal/mod: resolve module replacements via minimum-version selection by @rogpeppe in 0fc639b
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.
This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Affected range
<0.53.0
Fixed version
0.53.0
EPSS Score
0.781%
EPSS Percentile
52nd percentile
Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Uncontrolled Resource Consumption
Affected range
<0.55.0
Fixed version
0.55.0
CVSS Score
6.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score
0.248%
EPSS Percentile
16th percentile
Description
In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Affected range
<0.55.0
Fixed version
0.55.0
EPSS Score
0.188%
EPSS Percentile
9th percentile
Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected range
<0.55.0
Fixed version
0.55.0
EPSS Score
0.178%
EPSS Percentile
7th percentile
Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected range
<0.55.0
Fixed version
0.55.0
EPSS Score
0.178%
EPSS Percentile
7th percentile
Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected range
<0.55.0
Fixed version
0.55.0
EPSS Score
0.178%
EPSS Percentile
7th percentile
Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
google.golang.org/grpc1.78.0 (golang)
pkg:golang/google.golang.org/grpc@1.78.0
Improper Authorization
Affected range
<1.79.3
Fixed version
1.79.3
CVSS Score
9.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.522%
EPSS Percentile
41st percentile
Description
Impact
What kind of vulnerability is it? Who is impacted?
It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.
Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:
They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).
The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.
Users should upgrade to the following versions (or newer):
v1.79.3
The latest master branch.
It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:
1. Use a Validating Interceptor (Recommended Mitigation)
Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
funcpathValidationInterceptor(ctx context.Context, reqany, info*grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
ifinfo.FullMethod==""||info.FullMethod[0] !='/' {
returnnil, status.Errorf(codes.Unimplemented, "malformed method name")
}
returnhandler(ctx, req)
}
// Ensure this is the FIRST interceptor in your chains:=grpc.NewServer(
grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization
If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.
3. Policy Hardening
Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.
stdlib1.25.7 (golang)
pkg:golang/stdlib@1.25.7
Affected range
<1.25.11
Fixed version
1.25.11
EPSS Score
0.560%
EPSS Percentile
43rd percentile
Description
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.798%
EPSS Percentile
52nd percentile
Description
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.588%
EPSS Percentile
44th percentile
Description
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.784%
EPSS Percentile
52nd percentile
Description
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.781%
EPSS Percentile
52nd percentile
Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.813%
EPSS Percentile
53rd percentile
Description
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.621%
EPSS Percentile
46th percentile
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.349%
EPSS Percentile
27th percentile
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.615%
EPSS Percentile
45th percentile
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Affected range
<1.25.8
Fixed version
1.25.8
EPSS Score
0.520%
EPSS Percentile
41st percentile
Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Affected range
<1.25.11
Fixed version
1.25.11
EPSS Score
0.939%
EPSS Percentile
57th percentile
Description
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.
With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.292%
EPSS Percentile
21st percentile
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.371%
EPSS Percentile
29th percentile
Description
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.314%
EPSS Percentile
23rd percentile
Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.290%
EPSS Percentile
21st percentile
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Affected range
<1.25.8
Fixed version
1.25.8
EPSS Score
0.328%
EPSS Percentile
25th percentile
Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".
A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.290%
EPSS Percentile
21st percentile
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Affected range
<1.25.11
Fixed version
1.25.11
EPSS Score
0.370%
EPSS Percentile
29th percentile
Description
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
Affected range
<1.25.10
Fixed version
1.25.10
EPSS Score
0.390%
EPSS Percentile
31st percentile
Description
ReverseProxy can forward queries containing parameters not visible to Rewrite functions.
When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.
For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Affected range
<1.25.8
Fixed version
1.25.8
EPSS Score
0.201%
EPSS Percentile
10th percentile
Description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.
The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Affected range
<1.25.12
Fixed version
1.25.12
EPSS Score
0.413%
EPSS Percentile
33rd percentile
Description
Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.
Affected range
<1.25.12
Fixed version
1.25.12
EPSS Score
0.183%
EPSS Percentile
8th percentile
Description
On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.
For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.
org.apache.commons/commons-compress1.5 (maven)
pkg:maven/org.apache.commons/commons-compress@1.5
Improper Handling of Length Parameter Inconsistency
Affected range
<1.21
Fixed version
1.21
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
12.945%
EPSS Percentile
96th percentile
Description
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Improper Handling of Length Parameter Inconsistency
Affected range
<1.21
Fixed version
1.21
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
10.614%
EPSS Percentile
95th percentile
Description
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Improper Handling of Length Parameter Inconsistency
Affected range
<1.21
Fixed version
1.21
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
12.365%
EPSS Percentile
96th percentile
Description
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Excessive Iteration
Affected range
<1.21
Fixed version
1.21
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
11.567%
EPSS Percentile
96th percentile
Description
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Loop with Unreachable Exit Condition ('Infinite Loop')
Affected range
>=1.3 <1.26.0
Fixed version
1.26.0
CVSS Score
5.9
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score
0.441%
EPSS Percentile
36th percentile
Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.
Improper Check or Handling of Exceptional Conditions
Affected range
>=4.2.0.Final <=4.2.14.Final
Fixed version
4.2.15.Final
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.594%
EPSS Percentile
44th percentile
Description
When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls header.retainedSlice(header.readerIndex(), length) and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.
The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.
Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.
The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.
Attack
Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
Attacker places a malicious kenv binary earlier in $PATH
Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
Arbitrary code executes in the context of the application
multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.
severity
HIGH (availability / remote request amplification)
extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).
impact
in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.
example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
canonical: per_req_alloc_bytes=10315458 and p95_ms=7
control: per_req_alloc_bytes=133429 and p95_ms=0
proof of concept
canonical:
mkdir -p poc
unzip poc.zip -d poc
cd poc
make test
expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.
fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range
<3.6.1
Fixed version
4.0.3
EPSS Score
0.663%
EPSS Percentile
48th percentile
Description
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
golang.org/x/sys0.41.0 (golang)
pkg:golang/golang.org/x/sys@0.41.0
Affected range
<0.44.0
Fixed version
0.44.0
EPSS Score
0.114%
EPSS Percentile
2nd percentile
Description
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.15.1
chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3
Dec 30, 2025
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3
chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4
Jan 27, 2026
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4
chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0
Mar 3, 2026
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0
chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1
Apr 8, 2026
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1
chore(deps): update docker.io/cuelang/cue docker tag to v0.17.0
Jun 29, 2026
renovateBot
changed the title
chore(deps): update docker.io/cuelang/cue docker tag to v0.17.0
chore(deps): update docker.io/cuelang/cue docker tag to v0.17.1
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.13.2→0.17.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cue-lang/cue (docker.io/cuelang/cue)
v0.17.1Compare Source
Evaluator
Fix several regressions introduced in
v0.17.0: a panic when evaluating some disjunctions (#4419), and spuriousinvalid interpolation(#4420),field not allowed(#4423), andstructural cycle(#4430) errors involving comprehensions orselfreferences.Fix two regressions introduced in
v0.17.0where evaluation could hang (#4421, #4422), as well as two long-standing hangs on self-referencing configurations (#2766, #4231).cmd/cueFix a panic in
cue exp gengotypes, a regression introduced inv0.17.0, when a definition references a definition from another package via embedding (#4436).Module replacements are now subject to minimum-version selection like any other dependency.
cue mod tidynow normalizes a fully-pinned replacement to its major version and records the target as a regular dependency.Full list of changes since v0.17.0
fc6c0b29c720d08ead2d9f81f772993c44e1cd5e1fed51952e69e621459016af89ebec6176fb53017156f6f05bb04d57ab63994d50ba71cab72d5b4f82d498e0b974d7d5a557f6bc350v0.17.0Compare Source
Changes which may break some users are marked below with:⚠️
Language
The active
tryexperiment renames the newfallbackkeyword, used withforcomprehensions, tootherwise.fallbackcontinues to be accepted for now, but is rewritten to the new form.The active
aliasv2experiment now allows~(X)as an alternative to~Xfor the single postfix alias form.~Xis also rewritten as~(X)for the sake of consistency and clarity.Language versions
v0.17.0and later allow omitting commas in multi-line lists. Just like a newline after a struct field implies a comma, a newline after a list element now implies a comma as well.Language versions
v0.17.0and later allow a newline or a comma before the closing bracket of an index expression, matching how lists and func arguments allow omitting trailing commas.The language spec is tweaked to make
$a valid identifier, which was already allowed by the parser and evaluator.div,mod,quo, andremoperators has been removed. Since late 2020, these infix forms have been undocumented and rewritten bycue fixto the new function calls.The new
shortcircuitexperimentThis release introduces the
shortcircuitexperiment, which changes the&&and||operators to not evaluate the right operand if the left operand alone determines the result.This matches the behavior already documented in the CUE spec and is consistent with most mainstream languages, but for the sake of a smooth transition for end users, we are rolling out this change via an experiment.
You can try this experiment via the
@experiment(shortcircuit)file attribute. To mimic the old behavior with the experiment, you can use a hidden field:Evaluator
Comprehensions
The comprehension algorithm now waits to run a comprehension's body until the fields it reads have a concrete value, rather than trying to produce its fields up front. This resolves a number of long-standing bugs, most notably the last known regressions from
evalv2, where a comprehension that should have resolved instead failed as an incomplete value or a cycle.This design also greatly simplifies upcoming evaluator work, such as introducing new builtins to replace comparing values to bottom, as well as the design of
evalv4.Other changes
The evaluator no longer deduplicates errors just by position, which was causing some useful errors from disjunctions or standard library calls to be dropped incorrectly.
Several long-standing cycle-detection bugs have been fixed, such as self-referential uses of
matchNandmatchIf, self-feeding disjunctions, and comprehensions that read aletbinding which refers back to the comprehension's own fields.Fixed a bug where the same package imported via different qualified import paths (e.g.
foo.com/bar@v0orfoo.com/bar:baz) did not share the same hidden field namespace.Resolving an unversioned import from a dependency module now respects that module's own default major version, instead of always using the main module's default.
Fix a number of issues where
cue defcould produce invalid CUE output, such as due to name conflicts.Fix an evaluator regression where embedded disjunctions across packages may not correctly apply closedness.
Fix an evaluator bug where
cue.Context.BuildExprofclose({})did not actually result in a closed struct.Fix a bug where some calls to standard library functions or validators did not include the "error in call to pkg.Func" error context, or included it twice.
A few changes to the evaluator should reduce allocated objects by up to 16%, reducing GC overhead and memory usage.
To ease the transition into the new formatter we plan to release with v0.18,
CUE_EXPERIMENT=formatv2=0is now allowed as a no-op.A number of other bugs, panics, and hangs have been resolved as well.
cmd/cueModule replaces
CUE now supports substituting a module dependency with a local directory or a different remote module during development - for example while testing a fix to a dependency before it is published, or to replace a dependency with a fork including improvements.
This configuration lives in
cue.mod/local-module.cue, which is excluded when publishing to registries.cue mod editandcue mod tidygain support for maintaining this file.We have also published a how-to guide on replacing a dependency with a local module.
Read the full design doc in the proposal, or read the
cue.mod/local-module.cuereference docs.Other changes
The new global
-Cor--chdirflag runscuefrom the given working directory.Command input parsing is improved so that CUE packages can come after data files, such as
cue vet -c data.yaml ./schema.cue import --with-contextnow ensures thatdatarepresents the original raw input data, and not its interpretation like JSON Schema.cue import --pathnow skips over null values in an input stream, such as empty documents in a YAML file.Fix a bug where the flag
cue export --pathwas ignored when the inputs were pure CUE.The new
cue exp gengotypes --outfileflag controls the output file path when generating a single package.cue vet -d/--schemanow supports hidden fields, and correctly reports an error when the command inputs are CUE only.cue fixandcue trimno longer change file modification times when no changes are necessary.A
$CUE_CACHE_DIRdirectory is no longer required when loading CUE without external dependencies.The "filetypes" lookup tables now use a more compact encoding, saving about 150KiB in binary size for
cmd/cueas well as Go API users.LSP server
Add an initial version of organize-imports, which sorts the existing imports and removes unneeded imports. It is not yet capable of suggesting missing imports.
Wait for a short period of inactivity before sending diagnostics to the editor. This "debounce" means that a user typing incomplete CUE syntax will not be distracted with syntax errors as much.
The
aliasv2experiment is now fully supported.The
renamefunction is fixed to distinguish between field names and aliases.Improve field name analysis in general so that fields with multiple aliases (e.g.
v=[k=string]: _) are properly supported.Improve attribute handling for file-level embedded attributes, and to attach attributes within expressions to the correct struct.
Treat conjunctions (
&) and disjunctions (|) the same way for goto-definition. With the cursor on a path, it returns all results that the path MAY resolve to. With the cursor on a field declaration name, it returns all results that the path constructed from the field's name, and its field's name (and so on) MAY resolve to.Special-case
closefunction calls so that paths can resolve through fields within the argument toclose.Encodings
#character, shortening names and ensuring compatibility with the wider JSON Schema ecosystem. This required deprecatingencoding/jsonschema.GenerateConfig.NameFuncin favor ofNamesFunc.The JSON Schema encoder is improved to support
list.UniqueItemsand standalone validators, to usemaxItemsandminItemsinstead ofmaxLengthandminLengthfor lists with prefix elements, and to generatedescriptionkeywords for doc comments.Several closedness bugs in the JSON Schema encoder have been fixed, ensuring that the generated JSON Schema behaves the same way as the original CUE definition.
The JSON Schema decoder is improved to better handle the
prefixItemskeyword.The ProtoBuf decoder now resolves relative references following the usual scoping rules, instead of always resolving them against the top-level scope.
Standard library
Add
time.ToUnixandtime.ToUnixNano, which convert anRFC3339Nanotime value into seconds or nanoseconds since the Unix epoch, complementing the existingUnixbuiltin.strconv.FormatFloatnow accepts a string format parameter, likeFormatFloat(3.14, "e", 4, 64).list.MatchNnow shows what expected value it's matching against when it fails.The
netIP APIs now consistently return an error on invalid input types.Go API
Using
cue.Values concurrently is now fully supported, which required deprecatingcue.Value.Context. If you encounter any races or bugs, please report them via the issue tracker.cue/loadnow supports loading from anio/fs.FS, as outlined in proposal #4285. Loading file embeds throughConfig.OverlayandConfig.FSis supported now as well.cue/ast/astutildeprecatesSanitizein favor of the newSanitizeFilesAPI, given thatSanitizeon a single file cannot know if another file in the same package shadows builtin names likeself.Add
Path.CompareandSelector.Compare, providing allocation-free total ordering suitable forslices.SortFunc.Clarify that
cue/formatindents with a tab width of 4 by default.A new fuzzer has been introduced in the
cuepackage, checking that the parser doesn't crash and that its results are consistent with the rest of the Go APIs likecue/literal. So far, it has already resulted in seventeen bug fixes.The
cue.Interpreteroption API has been deprecated in favor ofcue.WithInjection, which is a better name going forward.cue/ast.File.Imports, deprecated in mid 2025 in favor ofcue/ast.File.ImportSpecs, is now removed.cue.InstancemethodsLookup,LookupDef,LookupField, andFillare now removed.modconfig.Registryinterface is changed to report default major versions, which is required for resolving unversioned imports against each dependency module's own defaults. Clients that implement or wrap the interface will need to update. The new interface is future-proofed for upcoming modules changes.Full list of changes since v0.16.0
0fc639be73658dc3f08a160e1bb73f7aafee2eb7f50fa6c091e07f1671908428d2db9dac083b5bc31ef80f15eed4bec06b9916719376a328b32aca761bcbc901907a9906c3e97d77fe74d73286a4372d35a0f4f7772d1d3b7d162569bf7d7dd80111ed3622b489b24991a3f185b8ba6eeb8ac73092c281a361a5b9984dae5adf7f512ecd2774d78c1b159ed139d5c4e71c13d28507be6d5a3fb70abb86e14d7d4d40ad26fb24b39c7392c8e72ff12bb0a41258b9f8be9bb021f44f24f1445c76df33b9deb682521fa683ed32244d103748aaafa5272684e35486eb4f1230bbbb964c01232e6da5139794b8c8c47cf7a59daf6d7894c60ba8143d216fe7d512100df6ebec1313cd1a65400b61fdfa0353335cf0e587c6d8ae7935fe8c2a8155223cfa7ef3e0eed47493840961bb9a6d76d0adb8dd6aa4a115651def1a0c02c81f9d1b5310062ffb2fbde9f02ca774942d2ba0d46a753484e5e958e8fdf9d5f9b4c66b15022d8273d6f58f23564a67df9ffc0541orstructural cycle by @mvdan in803c837dede65af5183895a6110aaae3830297d254c37cf24697512f2735d5aa9f3f2a5f1067682d70cb40caafed34b9f5033671e268fe24489f4a928b3474e56df9efa44ce4abe46a141572629888e6f0c639f4b343757dd5b4c02fddd86bd45f3e29b71eacd0f418ae29eac8f8a581b24e6fd0e0dbc1023bcd00e2745d06056b974211d7f44f49a34f13a275c434de0a7df6dd8ef3d1889ee7f68b1edd636840dfc376fa10029db7f911d6a67e3fd30d51a9e96d2c339485d3767108b01cdb4c0afa642db679600349c293c3a7065492ed18911c7defac2fbd146e1bfa0112f438e31697a664424fe38e3cf2cd](https://redirect.giConfiguration
📅 Schedule: (UTC)
* 0-3 1 * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.