Skip to content

Update library versions to resolve vulnerabilities reported by trivy: #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
christophetd merged 1 commit into from
May 7, 2025
Merged

Update library versions to resolve vulnerabilities reported by trivy: #681

christophetd merged 1 commit into from
May 7, 2025

Conversation

@KrisKennawayDD
Copy link
Contributor

@KrisKennawayDD KrisKennawayDD commented May 7, 2025

Resolves the following vulnerabilities:

┌───────────────────────────┬────────────────┬──────────┬──────────┬─────────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability  │ Severity │  Status  │  Installed Version  │ Fixed Version │                           Title                           │
├───────────────────────────┼────────────────┼──────────┼──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt │ CVE-2025-30204 │ HIGH     │ affected │ v3.2.2+incompatible │               │ golang-jwt/jwt: jwt-go allows excessive memory allocation │
│                           │                │          │          │                     │               │ during header parsing                                     │
│                           │                │          │          │                     │               │ https://avd.aquasec.com/nvd/cve-2025-30204                │
├───────────────────────────┼────────────────┤          ├──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/crypto       │ CVE-2025-22869 │          │ fixed    │ v0.32.0             │ 0.35.0        │ golang.org/x/crypto/ssh: Denial of Service in the Key     │
│                           │                │          │          │                     │               │ Exchange of golang.org/x/crypto/ssh                       │
│                           │                │          │          │                     │               │ https://avd.aquasec.com/nvd/cve-2025-22869                │
├───────────────────────────┼────────────────┼──────────┤          ├─────────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net          │ CVE-2025-22870 │ MEDIUM   │          │ v0.34.0             │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:  │
│                           │                │          │          │                     │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                           │                │          │          │                     │               │ https://avd.aquasec.com/nvd/cve-2025-22870                │
│                           ├────────────────┤          │          │                     ├───────────────┼───────────────────────────────────────────────────────────┤
│                           │ CVE-2025-22872 │          │          │                     │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input  │
│                           │                │          │          │                     │               │ During Web Page Generation in x/net in...                 │
│                           │                │          │          │                     │               │ https://avd.aquasec.com/nvd/cve-2025-22872                │
└───────────────────────────┴────────────────┴──────────┴──────────┴─────────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

I confirmed tests are still passing.

@KrisKennawayDD
Update library versions to resolve vulnerabilities reported by trivy:
956e478 
github.com/golang-jwt/jwt v3.2.2 -> 4.5.2
golang.org/x/net v0.34.0 -> 0.38.0
golang.org/x/crypto v0.32.0 -> v0.36.0
@christophetd christophetd merged commit d5d25ab into DataDog:main May 7, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christophetd christophetd christophetd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KrisKennawayDD @christophetd