⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

fix: patch Go stdlib CVEs in pulsarctl (update to go 1.25.5) #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shibd merged 2 commits into from
Jan 16, 2026
Merged

fix: patch Go stdlib CVEs in pulsarctl (update to go 1.25.5) #1969

shibd merged 2 commits into from
Jan 16, 2026
+2 −2

Conversation

@shibd
Copy link
Member

@shibd shibd commented Jan 16, 2026
edited
Loading

Fix 13 CVEs in Go stdlib v1.25.0 by updating to Go 1.25.5

See issue streamnative/eng-support-tickets#3619 for full details.

Summary

We have completed two fixes to resolve the Go version conflict in pulsarctl release builds:

Fix 1: pulsarctl PR #1969

Updated pulsarctl/go.mod from `go 1.25.0` to `go 1.25.5` to satisfy the stdlib CVE requirements.

PR: #1969

Fix 2: streamnative-ci workflow modification

https://github.com/streamnative/streamnative-ci/pull/6510

This ensures that the Go version used in streamnative-ci release builds meets or exceeds the go.mod requirement (1.25.5), preventing Go's automatic version upgrade to Go 1.25.0.

How the CVE Was Introduced

The Go 1.25.0 stdlib in pulsarctl is used because:

  1. pulsarctl/go.mod sets `go 1.25.0` (minimum requirement)
  2. pulsarctl/scripts/build.sh runs `go version` command to capture the Go version info
  3. Go toolchain detects go.mod requirement and automatically downloads compatible version if current version (1.24.11) doesn't meet the requirement

Why This Fix Resolves the CVE

Upgrading to Go 1.25.0 resolves:

  1. All 13 CVEs: The stdlib in 1.25.0 includes patches for vulnerabilities CVE-2025-58183, CVE-2025-61729, CVE-2025-47912, CVE-2025-61727, and 9 others

  2. Version conflict: Prevents Go's automatic version upgrade mechanism from causing `go version go1.25.0` builds even when workflow sets `go-version: 1.24.11`

Related PRs

Testing Notes

After these fixes, the next release build will use:

  1. Go 1.25.0 (from workflow, meeting pulsarctl/go.mod requirement)
  2. No automatic upgrade to 1.25.0
  3. Go 1.25.0 stdlib - with all CVEs from 1.25.5 resolved

Users should verify that:

  1. pulsarctl is built with Go 1.25.0 in the next release
  2. CVE scanner reports no vulnerabilities for pulsarctl binaries

@shibd
fix: patch Go stdlib CVEs in pulsarctl (update to go 1.25.5)
195f2e3 
- Update go.mod from go 1.25.0 to go 1.25.5
- Fix 13 CVEs in Go stdlib:
  - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
  - CVE-2025-61729 (HIGH): crypto/x509 denial of service
  - CVE-2025-47910 (MEDIUM): net/http CrossOriginProtection bypass
  - CVE-2025-47912 (MEDIUM): net/url insufficient IPv6 validation
  - CVE-2025-58185 (MEDIUM): encoding/asn1 memory exhaustion
  - CVE-2025-58186 (MEDIUM): net/http cookie parsing limit
  - CVE-2025-58187 (MEDIUM): crypto/x509 quadratic complexity
  - CVE-2025-58188 (MEDIUM): crypto/x509 panic with DSA keys
  - CVE-2025-58189 (MEDIUM): crypto/tls ALPN error info leak
  - CVE-2025-61723 (MEDIUM): encoding/pem quadratic complexity
  - CVE-2025-61724 (MEDIUM): net/textproto excessive CPU
  - CVE-2025-61725 (MEDIUM): net/mail excessive CPU
  - CVE-2025-61727 (MEDIUM): crypto/x509 wildcard SANs restriction

Fixed in Go 1.25.5

Related: streamnative/eng-support-tickets#3619
@github-actions
Copy link

github-actions bot commented Jan 16, 2026

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions bot added the doc-info-missing This pr needs to mark a document option in description label Jan 16, 2026
@shibd
Copy link
Member Author

shibd commented Jan 16, 2026

CVE Details

  • CVE Count: 13 vulnerabilities
  • Severity: 2 HIGH, 11 MEDIUM
  • Affected Component: golang stdlib v1.25.0
  • Affected Binary: pulsarctl (included in sn-platform-slim images)
  • Current Version: go 1.25.0
  • Fixed Version: go 1.25.5

Vulnerabilities Fixed

  1. CVE-2025-58183 (HIGH) - archive/tar: Unbounded allocation when parsing GNU sparse map

  2. CVE-2025-61729 (HIGH) - crypto/x509: Denial of Service due to excessive resource consumption via crafted certificate

  3. CVE-2025-47910 (MEDIUM) - net/http: CrossOriginProtection bypass

  4. CVE-2025-47912 (MEDIUM) - net/url: Insufficient validation of bracketed IPv6 hostnames

  5. CVE-2025-58185 (MEDIUM) - encoding/asn1: Parsing DER payload can cause memory exhaustion

  6. CVE-2025-58186 (MEDIUM) - net/http: Lack of limit when parsing cookies can cause memory exhaustion

  7. CVE-2025-58187 (MEDIUM) - crypto/x509: Quadratic complexity when checking name constraints

  8. CVE-2025-58188 (MEDIUM) - crypto/x509: Panic when validating certificates with DSA public keys

  9. CVE-2025-58189 (MEDIUM) - crypto/tls: ALPN negotiation error contains attacker controlled information

  10. CVE-2025-61723 (MEDIUM) - encoding/pem: Quadratic complexity when parsing some invalid inputs

  11. CVE-2025-61724 (MEDIUM) - net/textproto: Excessive CPU consumption in Reader.ReadResponse

  12. CVE-2025-61725 (MEDIUM) - net/mail: Excessive CPU consumption in ParseAddress

  13. CVE-2025-61727 (MEDIUM) - crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

How CVEs Were Introduced

The vulnerable [email protected] was introduced through the Go version specified in pulsarctl/go.mod:

  • Line 3: go 1.25.0 specified the minimum Go version required
  • When pulsarctl is built using the build process, it uses the Go compiler (or a specified Go version)
  • The resulting binary includes the Go stdlib from the version used during compilation
  • This binary is then packaged and included in the sn-platform-slim container image at /pulsar/bin/pulsarctl

The pulsarctl binary is a Go-based CLI tool that, when built with Go 1.25.0, includes the vulnerable stdlib containing all 13 security vulnerabilities.

Why Go 1.25.5 is Required:

While most of the CVEs (11 out of 13) were fixed in Go 1.25.2, two critical CVEs require Go 1.25.5:

  • CVE-2025-61729: Denial of Service in crypto/x509 due to excessive resource consumption via crafted certificate
  • CVE-2025-61727: crypto/x509 excluded subdomain constraint does not restrict wildcard SANs

Both are certificate validation issues in the crypto/x509 package and were only patched in Go 1.24.11 and Go 1.25.5. Therefore, we must upgrade to at least Go 1.25.5 to resolve all 13 CVEs.

Why This Fix Resolves CVEs

Upgrading from Go 1.25.0 to Go 1.25.5 patches all CVEs by:

  1. Upstream Patches: The Go 1.25.5 release includes fixes for all 13 vulnerabilities that existed in 1.25.0

  2. Security Fixes in Stages:

  3. Specific Vulnerability Resolutions:

    • archive/tar: Added bounds checking for GNU sparse map entries to prevent unbounded allocation
    • crypto/x509:
      • Added validation to prevent excessive resource consumption from crafted certificates
      • Fixed quadratic complexity in name constraint checking algorithm
      • Added proper handling of DSA public keys to prevent panics
      • Fixed wildcard SAN restriction by excluded subdomain constraints
    • net/url: Added proper validation for IPv6 addresses enclosed in brackets
    • net/http: Added limits for cookie parsing to prevent memory exhaustion
    • crypto/tls: Sanitized error messages to prevent information leakage in ALPN errors
    • encoding/asn1 & encoding/pem: Added size limits to prevent unbounded memory allocation
    • net/textproto & net/mail: Optimized string concatenation to prevent excessive CPU consumption

  4. Binary Update: When pulsarctl is rebuilt with Go 1.25.5, the binary will include the patched stdlib with all security fixes

  5. Drop-in Replacement: This is a pure dependency version update - no pulsarctl code changes are required. The fix is inherited entirely from the upstream Go release and maintains full API compatibility

Changes Made

  • Updated go.mod line 3 from go 1.25.0 to go 1.25.5
  • When pulsarctl is rebuilt with this change, it will use Go 1.25.5+ stdlib
  • The new binary will be included in subsequent sn-platform-slim image builds

Verification

After this PR is merged:

  1. Build Verification: Pulsarctl should be rebuilt with Go 1.25.5 or later
  2. Binary Verification: The resulting binary will have the patched stdlib
  3. CVE Scanner: CVE scanners (like Trivy) should no longer report these 13 vulnerabilities for pulsarctl
  4. Functional Verification: No functional changes to pulsarctl behavior - this is a security patch only

References

Individual CVE References

Related Previous CVE Fixes (For Reference)

  • Issue #3615 - [CVE] pulsarctl stdlib v1.25.0 CVE-2025-58183 - Fixed by fix: patch CVE-2025-58183 in golang stdlib #1968 (updated to Go 1.25.2)
  • Issue #3314 - [CVE] sn-platform-slim:4.1.0.5 stdlib v1.24.7 - Fixed by Go version update
  • Issue #3418 - [CVE] sn-platform-slim:4.1.0.9 stdlib v1.24.10 - Fixed by Go version update
  • Issue #3445 - [CVE] sn-operator-all:v0.13.7 stdlib v1.23.12 - Fixed by Go version update
  • Issue #3473 - [CVE] sn-platform-slim:4.1.0.11 stdlib v1.25.0 - Fixed by Go version update

These previous fixes followed the same pattern: update the Go version in pulsarctl's go.mod to patch stdlib vulnerabilities.

@shibd
fix: update setup-go action to v5 for Go 1.25 compatibility
451e113 
- Update actions/setup-go from v1 to v5 in ci-trivy.yml
- setup-go@v1 does not support Go 1.25.x versions
- This fixes the 'Set up Go 1.25' step failure in CI
@shibd
Copy link
Member Author

shibd commented Jan 16, 2026

CI Fix

Issue: The initial CI run failed in the job with error at 'Set up Go 1.25' step.

Root Cause: The workflow file was using an outdated action, which does not support Go 1.25.x versions.

Fix: Updated :

  • Changed: →
  • Reason: setup-go@v5 supports Go 1.25.x versions and is consistent with other workflow files in the repository

Verification: All CI checks now pass:

  • ✅ scan-vulnerabilities
  • ✅ auth-tests
  • ✅ bookie-ut-tests
  • ✅ function-tests
  • ✅ packages-tests
  • ✅ release-check (1.25)
  • ✅ sink-tests
  • ✅ source-tests
  • ✅ style-check
  • ✅ ut-tests

@shibd
Copy link
Member Author

shibd commented Jan 16, 2026

CI Fix: Updated ci-trivy.yml to use actions/setup-go@v5 (from v1) to support Go 1.25.x. All CI checks now pass successfully.

@shibd shibd merged commit d9dd3db into master Jan 16, 2026
11 checks passed
@shibd shibd deleted the fix/cve-2025-stdlib-v1.25.5 branch January 16, 2026 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RobertIndie RobertIndie RobertIndie approved these changes

@zymap zymap zymap approved these changes

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@nlu90 nlu90 Awaiting requested review from nlu90 nlu90 is a code owner

Assignees

@shibd shibd

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shibd @RobertIndie @zymap