fix(security): update Go from 1.24.4 to 1.25.7 to address multiple CVEs#696
Merged
tembleking merged 1 commit intomasterfrom Feb 5, 2026
Merged
fix(security): update Go from 1.24.4 to 1.25.7 to address multiple CVEs#696tembleking merged 1 commit intomasterfrom
tembleking merged 1 commit intomasterfrom
Conversation
Update Go version to fix 17+ security vulnerabilities in the standard library.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Go version from 1.24.4 to 1.25.7 to address 17 security vulnerabilities in the standard library, including 3 critical vulnerabilities that enable remote code execution, arbitrary file writes, and code injection.
Changes:
- Updated Go version directive in go.mod from 1.24.4 to 1.25.7
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Jujuyeh
approved these changes
Feb 5, 2026
davidag
approved these changes
Feb 5, 2026
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
fcracker79
pushed a commit
that referenced
this pull request
Mar 5, 2026
…Es (#696) ## Summary Update Go version from 1.24.4 to 1.25.7 to fix **17+ security vulnerabilities** in the standard library, including **3 critical RCE/code injection** vulnerabilities. ## Vulnerabilities Fixed ### Go 1.24.5 (July 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-4674 | `cmd/go` | High | Unexpected command execution in untrusted VCS repositories | ### Go 1.24.6 (August 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-47906 | `os/exec` | Medium | `LookPath` returns unexpected paths when PATH contains executables | | CVE-2025-47907 | `database/sql` | Medium | Race condition in `Rows.Scan()` can overwrite parallel query results | ### Go 1.24.8 / 1.25.2 (October 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-58186 | `net/http` | High | Memory exhaustion: no limit on number of cookies parsed | | CVE-2025-58187 | `crypto/x509` | High | DoS: name constraint checking scales non-linearly with cert size | | CVE-2025-61724 | `net/textproto` | Medium | CPU exhaustion in `Reader.ReadResponse` with many short lines | ### Go 1.24.11 / 1.25.5 (December 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61727 | `crypto/x509` | High | Excluded subdomain constraints don't restrict wildcard SANs | | CVE-2025-61729 | `crypto/x509` | Medium | DoS: `HostnameError.Error()` O(n²) string concatenation | ### Go 1.24.12 / 1.25.6 (January 2026) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61726 | `net/url` | High | Memory exhaustion: no limit on query parameters | | CVE-2025-61728 | `archive/zip` | Medium | DoS: super-linear filename indexing with malicious ZIPs | | CVE-2025-61730 | `crypto/tls` | Medium | TLS 1.3 messages processed at incorrect encryption level | | CVE-2025-61731 | `cmd/go` | **Critical** | Arbitrary file write via `#cgo pkg-config:` directive | | CVE-2025-68119 | `cmd/go` | **Critical** | RCE via malicious version strings in Mercurial/Git | | CVE-2025-68121 | `crypto/tls` | High | Session hijacking: ticket keys copied in `Config.Clone()` | ### Go 1.24.13 / 1.25.7 (February 2026) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61732 | `cmd/cgo` | **Critical** | Code smuggling via Go/C++ comment parsing discrepancy | ## Verification ``` $ govulncheck ./... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. ``` ## Test plan - [x] `govulncheck ./...` reports 0 vulnerabilities - [ ] CI build passes - [ ] Unit tests pass - [ ] Acceptance tests pass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update Go version from 1.24.4 to 1.25.7 to fix 17+ security vulnerabilities in the standard library, including 3 critical RCE/code injection vulnerabilities.
Vulnerabilities Fixed
Go 1.24.5 (July 2025)
cmd/goGo 1.24.6 (August 2025)
os/execLookPathreturns unexpected paths when PATH contains executablesdatabase/sqlRows.Scan()can overwrite parallel query resultsGo 1.24.8 / 1.25.2 (October 2025)
net/httpcrypto/x509net/textprotoReader.ReadResponsewith many short linesGo 1.24.11 / 1.25.5 (December 2025)
crypto/x509crypto/x509HostnameError.Error()O(n²) string concatenationGo 1.24.12 / 1.25.6 (January 2026)
net/urlarchive/zipcrypto/tlscmd/go#cgo pkg-config:directivecmd/gocrypto/tlsConfig.Clone()Go 1.24.13 / 1.25.7 (February 2026)
cmd/cgoVerification
Test plan
govulncheck ./...reports 0 vulnerabilities