fix: patch CVE-2025-58183 in golang stdlib

[shibd]

Summary

Fix CVE-2025-58183: Unbounded allocation when parsing GNU sparse map in Go's archive/tar package

CVE Details

• CVE ID: CVE-2025-58183
• Severity: HIGH
• Affected Component: golang stdlib v1.25.0
• Affected Binary: pulsarctl (included in sn-platform-slim images)
• NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-58183
• Fixed Version: Go 1.25.2

How the CVE Was Introduced

The vulnerable [email protected] was introduced through the Go version specified in pulsarctl/go.mod:

• Line 3: go 1.25.0 specified the minimum Go version required
• When pulsarctl is built using make pulsarctl, it uses the system's Go compiler
• The resulting binary includes the Go stdlib from version 1.25.0
• This binary is then included in the sn-platform-slim container image at /pulsar/bin/pulsarctl

The pulsarctl binary is a Go-based CLI tool built with Go 1.25.0, which includes the vulnerable stdlib. The vulnerability exists in the archive/tar package which handles tar archive parsing.

Why This Fix Resolves the CVE

Upgrading from Go 1.25.0 to Go 1.25.2 patches the CVE by:

1. The Go 1.25.2 release includes a fix for CVE-2025-58183
2. The fix adds proper bounds checking when parsing GNU sparse map entries in tar files
3. When pulsarctl is rebuilt with Go 1.25.2, the binary will include the patched stdlib
4. The vulnerability is eliminated without any code changes required in pulsarctl itself

This is a pure dependency version update - no pulsarctl code changes are needed. The fix is inherited from the upstream Go release.

Changes Made

• Updated go.mod line 3 from go 1.25.0 to go 1.25.2
• When pulsarctl is rebuilt with this change, it will use Go 1.25.2+ stdlib
• The new binary will be included in subsequent sn-platform-slim image builds

Verification

After this PR is merged:

1. Pulsarctl should be rebuilt with Go 1.25.2 or later
2. The resulting binary will have the patched stdlib
3. CVE scanners should no longer report this vulnerability for pulsarctl
4. No functional changes to pulsarctl behavior - this is a security patch only

References

• Original Issue: streamnative/eng-support-tickets#3615
• CVE Report: https://nvd.nist.gov/vuln/detail/CVE-2025-58183
• Go Vulnerability Database: https://pkg.go.dev/vuln/GO-2025-4014
• Go Issue: https://go.dev/issue/75677
• Go CL: https://go.dev/cl/709861

Related Previous CVE Fixes (For Reference)

• Issue #3314 - [CVE] sn-platform-slim:4.1.0.5 stdlib v1.24.7 - Fixed by https://github.com/streamnative/pulsarctl
• Issue #3418 - [CVE] sn-platform-slim:4.1.0.9 stdlib v1.24.10 - Fixed by https://github.com/streamnative/pulsarctl

These previous fixes followed the same pattern: update the Go version in pulsarctl's go.mod to patch stdlib vulnerabilities.

[github-actions]

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)