Skip to content

cloudflared/2025.11.1-r2: cve remediation#77824

Closed
octo-sts[bot] wants to merge 1 commit intomainfrom
cve-cloudflared-2025.11.1-r2-4d7f957e38176aa8f9a7e7c412b4ed78
Closed

cloudflared/2025.11.1-r2: cve remediation#77824
octo-sts[bot] wants to merge 1 commit intomainfrom
cve-cloudflared-2025.11.1-r2-4d7f957e38176aa8f9a7e7c412b4ed78

Conversation

@octo-sts
Copy link
Copy Markdown
Contributor

@octo-sts octo-sts Bot commented Jan 11, 2026

cloudflared/2025.11.1-r2: fix GHSA-527x-5wrf-22m2

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cloudflared.advisories.yaml

"Breadcrumbs" for this automated service

Inspected git repositories: https://github.com/cloudflare/cloudflared@2025.11.1

@octo-sts octo-sts Bot added automated pr request-cve-remediation go/bump GHSA-527x-5wrf-22m2 p:cloudflared P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 11, 2026
@octo-sts
Copy link
Copy Markdown
Contributor Author

octo-sts Bot commented Jan 11, 2026

🛑 Build Failed: Compilation

vendor/github.com/quic-go/quic-go/http3/client.go:96:31: too many arguments in call to qpack.NewDecoder
have (func(hf qpack.HeaderField))
want ()

Build Details

Category Details
Build System Go
Failure Point go build command during compilation of github.com/quic-go/quic-go/http3 package

Root Cause Analysis 🔍

API incompatibility between quic-go/http3 package and qpack dependency. The qpack.NewDecoder function signature has changed - it no longer accepts a callback function parameter, but the quic-go code is still calling it with the old signature. This is likely due to dependency version mismatches after the go/bump step updated packages.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: go.mod

  • dependency_update at line N/A (require section)
    Original:
Current quic-go version (likely latest)

Replacement:

github.com/quic-go/quic-go v0.40.1 (or other compatible version that matches qpack API)

Content:

Pin quic-go to a compatible version that works with the current qpack dependency

File: Melange YAML

  • dependency_pin at line 25-27 (go/bump section)
    Original:
deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/coredns/coredns@v1.14.0

Replacement:

deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/coredns/coredns@v1.14.0
        github.com/quic-go/quic-go@v0.40.1

Content:

Add explicit version pinning for quic-go to ensure API compatibility
Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, the error indicates a clear API incompatibility issue where the qpack.NewDecoder function signature has changed between versions - it no longer accepts a callback function parameter but the quic-go code is still calling it with the old signature. This type of issue typically occurs when Go dependencies are updated (via go/bump) but the consuming code hasn't been updated to match the new API.

Click to expand fix explanation

Explanation

The build failure is caused by an API incompatibility between the quic-go HTTP/3 client and the qpack dependency. The qpack.NewDecoder function signature has changed to no longer accept a callback function parameter, but the quic-go code is still calling it with the old signature. This commonly happens when go/bump updates dependencies but creates version mismatches. The fix involves pinning the quic-go version to one that is compatible with the current qpack version. Version 0.40.1 or similar should maintain API compatibility. By explicitly pinning this in the go/bump step, we ensure consistent dependency resolution and prevent the API mismatch that's causing the compilation error.

Click to expand alternative approaches

Alternative Approaches

  • Update qpack to a version compatible with the latest quic-go (may require more extensive changes)
  • Apply a patch to the quic-go vendor code to handle the new qpack API signature
  • Use go mod replace directives to force specific compatible versions of both packages
  • Wait for upstream cloudflared to update their dependencies to compatible versions

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts Bot added the ai/skip-comment Stop AI from commenting on PR label Jan 11, 2026
@catmsred catmsred self-assigned this Jan 19, 2026
@catmsred
Copy link
Copy Markdown
Member

catmsred commented Jan 20, 2026

See advisories: https://github.com/chainguard-dev/CVE-Dashboard/issues/52938

@octo-sts
Copy link
Copy Markdown
Contributor Author

octo-sts Bot commented Jan 20, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-qpmq-jp76-vgm8 has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-qpmq-jp76-vgm8

ID:      CGA-qpmq-jp76-vgm8
Package: cloudflared
Aliases: CVE-2025-68151 GHSA-527x-5wrf-22m2 GO-2026-4289 CGA-f6c8-358q-hcm4
Events:
  - "DETECTION" at 2026-01-14 17:34:27 UTC
  - "PENDING_UPSTREAM_FIX" at 2026-01-17 02:19:55 UTC

@octo-sts octo-sts Bot closed this Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@catmsred catmsred

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-527x-5wrf-22m2 go/bump p:cloudflared P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catmsred @cmwilson21