From 02b8d4fb90033c1c2750b9f8b08325165c4dcac7 Mon Sep 17 00:00:00 2001
From: Penghui Li <penghui@apache.org>
Date: Fri, 16 Jan 2026 08:29:49 -0800
Subject: [PATCH] fix: upgrade Go to 1.25.2 to fix multiple CVEs in stdlib

Upgrade Go from 1.25.0 to 1.25.2 to address multiple CVEs in the standard library:

- CVE-2025-58183: archive/tar unbounded allocation
- CVE-2025-47910: CrossOriginProtection bypass
- CVE-2025-47912: IPv6 hostname validation
- CVE-2025-58185: DER parsing memory exhaustion
- CVE-2025-58186: cookie parsing exhaustion
- CVE-2025-58187: name constraints quadratic complexity
- CVE-2025-58188: DSA panic
- CVE-2025-58189: ALPN error information leak
- CVE-2025-61723: PEM parsing quadratic complexity
- CVE-2025-61724: textproto CPU consumption
- CVE-2025-61725: mail CPU consumption
- CVE-2025-61729: HostnameError DoS
- CVE-2025-61727: wildcard SAN constraint bypass

Severity: HIGH/MEDIUM
Fixes: https://github.com/streamnative/eng-support-tickets/issues/3609
Fixes: https://github.com/streamnative/eng-support-tickets/issues/3619
Change-Id: I12345679
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index cc814f6ca..b52fb9811 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/streamnative/pulsarctl
 
-go 1.25.0
+go 1.25.2
 
 require (
 	github.com/apache/pulsar-client-go v0.18.0-candidate-1.0.20251222030102-3bb7d4eff361