Skip to content

security(gomod): 🛡️ minor indirect to v0.45.0 #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security(gomod): 🛡️ minor indirect to v0.45.0 #196

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 10, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
golang.org/x/crypto v0.36.0v0.45.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Potential denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47913 / GO-2025-4116

More information

Details

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 10, 2025 15:56
@renovate renovate bot requested a review from pacificcode December 10, 2025 15:56
@renovate renovate bot enabled auto-merge (squash) December 10, 2025 15:56
@renovate
Copy link
Contributor Author

renovate bot commented Dec 10, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.23.0 -> 1.24.0
golang.org/x/sys v0.31.0 -> v0.38.0
golang.org/x/mod v0.17.0 -> v0.29.0
golang.org/x/net v0.38.0 -> v0.47.0
golang.org/x/sync v0.12.0 -> v0.18.0
golang.org/x/term v0.30.0 -> v0.37.0
golang.org/x/text v0.23.0 -> v0.31.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d -> v0.38.0

@snyk-io
Copy link

snyk-io bot commented Dec 10, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codecov
Copy link

codecov bot commented Dec 10, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.29%. Comparing base (a2521eb) to head (51ce891).
⚠️ Report is 131 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #196      +/-   ##
==========================================
- Coverage   32.61%   25.29%   -7.32%     
==========================================
  Files          80       79       -1     
  Lines       10855    11088     +233     
==========================================
- Hits         3540     2805     -735     
- Misses       7027     8012     +985     
+ Partials      288      271      -17

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate bot changed the title security(gomod): 🛡️ minor indirect to v0.45.0 security(gomod): 🛡️ minor indirect to v0.45.0 - autoclosed Jan 25, 2026
@renovate renovate bot closed this Jan 25, 2026
auto-merge was automatically disabled January 25, 2026 08:57

Pull request was closed

@renovate renovate bot deleted the renovate/vulnerability-unknown branch January 25, 2026 08:57
@renovate renovate bot changed the title security(gomod): 🛡️ minor indirect to v0.45.0 - autoclosed security(gomod): 🛡️ minor indirect to v0.45.0 Jan 25, 2026
@renovate renovate bot reopened this Jan 25, 2026
@renovate renovate bot force-pushed the renovate/vulnerability-unknown branch 2 times, most recently from a8b9c48 to 51ce891 Compare January 25, 2026 13:45
@renovate renovate bot enabled auto-merge (squash) January 25, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@pacificcode pacificcode Awaiting requested review from pacificcode pacificcode is a code owner automatically assigned from DelineaXPM/dsv-contributors

At least 1 approving review is required to merge this pull request.

Assignees

@renovate renovate[bot]

Labels

dependencies ignore-stale security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants