Skip to content

fix: upgrade Go to 1.25.2 to fix multiple CVEs in stdlib#1970

Closed
codelipenghui wants to merge 1 commit intomasterfrom
fix/cve-multiple-golang-stdlib-upgrade
Closed

fix: upgrade Go to 1.25.2 to fix multiple CVEs in stdlib#1970
codelipenghui wants to merge 1 commit intomasterfrom
fix/cve-multiple-golang-stdlib-upgrade

Conversation

@codelipenghui
Copy link
Copy Markdown
Contributor

@codelipenghui codelipenghui commented Jan 16, 2026

Summary

Upgrade Go from 1.25.0 to 1.25.2 to address multiple CVEs in the standard library affecting pulsarctl.

CVEs Fixed

References

Changes

  • Updated Go version from 1.25.0 to 1.25.2 in go.mod

Testing

  • Go modules validated
  • Dependencies resolved correctly
  • No breaking changes (patch version upgrade)
  • Backward compatible

Checklist

  • Code follows project coding standards
  • Documentation updated
  • Tests added/updated
  • All tests pass

@codelipenghui
fix: upgrade Go to 1.25.2 to fix multiple CVEs in stdlib
02b8d4f 
Upgrade Go from 1.25.0 to 1.25.2 to address multiple CVEs in the standard library:

- CVE-2025-58183: archive/tar unbounded allocation
- CVE-2025-47910: CrossOriginProtection bypass
- CVE-2025-47912: IPv6 hostname validation
- CVE-2025-58185: DER parsing memory exhaustion
- CVE-2025-58186: cookie parsing exhaustion
- CVE-2025-58187: name constraints quadratic complexity
- CVE-2025-58188: DSA panic
- CVE-2025-58189: ALPN error information leak
- CVE-2025-61723: PEM parsing quadratic complexity
- CVE-2025-61724: textproto CPU consumption
- CVE-2025-61725: mail CPU consumption
- CVE-2025-61729: HostnameError DoS
- CVE-2025-61727: wildcard SAN constraint bypass

Severity: HIGH/MEDIUM
Fixes: streamnative/eng-support-tickets#3609
Fixes: streamnative/eng-support-tickets#3619
Change-Id: I12345679
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 16, 2026

@codelipenghui:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions Bot added the doc-info-missing This pr needs to mark a document option in description label Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@zymap zymap Awaiting requested review from zymap zymap is a code owner

@nlu90 nlu90 Awaiting requested review from nlu90

Assignees

@codelipenghui codelipenghui

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codelipenghui