Skip to content

chore: bump CVE concerned libraries #2172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Lune-Mercier wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: bump CVE concerned libraries #2172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
63 changes: 27 additions & 36 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/openshift/oc

go 1.24.0
go 1.24.11

require (
al.essio.dev/pkg/shellescape v1.6.0
Expand All @@ -16,8 +16,8 @@ require (
github.com/aws/aws-sdk-go-v2/service/s3 v1.88.3
github.com/aws/smithy-go v1.23.0
github.com/blang/semver v3.5.1+incompatible
github.com/containers/image/v5 v5.32.2
github.com/containers/storage v1.58.0
github.com/containers/image/v5 v5.36.0
github.com/containers/storage v1.59.0
github.com/coreos/go-oidc/v3 v3.14.1
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
github.com/distribution/distribution/v3 v3.0.0-20230519140516-983358f8e250
Expand All @@ -26,18 +26,18 @@ require (
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
github.com/elazarl/goproxy v1.7.2
github.com/fsnotify/fsnotify v1.9.0
github.com/fsouza/go-dockerclient v1.10.0
github.com/fsouza/go-dockerclient v1.12.3
github.com/ghodss/yaml v1.0.0
github.com/go-ldap/ldap/v3 v3.4.11
github.com/gonum/graph v0.0.0-20170401004347-50b27dea7ebb
github.com/google/go-cmp v0.7.0
github.com/int128/oauth2cli v1.17.0
github.com/joelanford/ignore v0.1.1
github.com/moby/buildkit v0.12.5
github.com/moby/buildkit v0.26.3
github.com/moby/sys/sequential v0.6.0
github.com/moby/term v0.5.2
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/opencontainers/image-spec v1.1.1
github.com/openshift/api v0.0.0-20251111013132-5c461e21bdb7
github.com/openshift/build-machinery-go v0.0.0-20251020112516-49aa9f5db6d8
github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
Expand Down Expand Up @@ -74,7 +74,6 @@ require (
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/BurntSushi/toml v1.5.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.18.16 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect
Expand All @@ -94,13 +93,13 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/typeurl/v2 v2.2.0 // indirect
github.com/containerd/typeurl/v2 v2.2.3 // indirect
github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
github.com/containers/ocicrypt v1.2.0 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
github.com/containers/ocicrypt v1.2.1 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
github.com/cyphar/filepath-securejoin v0.6.0 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/docker-credential-helpers v0.9.3 // indirect
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
Expand All @@ -114,17 +113,10 @@ require (
github.com/go-git/go-billy/v5 v5.6.1 // indirect
github.com/go-git/go-git/v5 v5.13.1 // indirect
github.com/go-jose/go-jose/v4 v4.0.5 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/gonum/blas v0.0.0-20181208220705-f22b278b28ac // indirect
github.com/gonum/floats v0.0.0-20181209220543-c233463c7e82 // indirect
Expand All @@ -135,8 +127,8 @@ require (
github.com/gonum/stat v0.0.0-20181125101827-41a0da705a5b // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/go-containerregistry v0.20.0 // indirect
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
github.com/google/go-containerregistry v0.20.3 // indirect
github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
Expand All @@ -148,13 +140,12 @@ require (
github.com/jonboulle/clockwork v0.5.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.18.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0 // indirect
github.com/klauspost/compress v1.18.1 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lithammer/dedent v1.1.0 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/go-archive v0.1.0 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
Expand All @@ -170,38 +161,38 @@ require (
github.com/morikuni/aec v1.0.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.13.0 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pkg/profile v1.7.0 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/proglottis/gpgme v0.1.3 // indirect
github.com/proglottis/gpgme v0.1.4 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/robfig/cron v1.2.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/sigstore/fulcio v1.4.5 // indirect
github.com/sigstore/rekor v1.3.6 // indirect
github.com/sigstore/sigstore v1.8.4 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
github.com/sigstore/fulcio v1.6.6 // indirect
Copy link

@coderabbitai coderabbitai bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GO-2025-4193 sigstore fulcio vulnerability

💡 Result:

Summary — GO-2025-4193 (Fulcio)

  • ID / aliases: GO-2025-4193; CVE-2025-66506; GHSA-f83f-xpx7-ffpw. [1][2]
  • Issue: Fulcio's identity.extractIssuerURL uses strings.Split on untrusted token data, allowing an attacker to craft tokens with many '.' characters that cause excessive memory allocations (resource exhaustion / DoS). [1][3]
  • Affected versions: github.com/sigstore/fulcio versions before v1.8.3. [1][2][3]
  • Fix / mitigation: upgrade fulcio to v1.8.3 or later (patch commit available in upstream). [1][3]
    References
  • Go vulnerability entry (GO-2025-4193). [1]
  • OSV / vulnerability metadata (GO-2025-4193 / CVE-2025-66506). [2]
  • Snyk advisory / details and recommended upgrade. [3]

🌐 Web query:

GHSA-f83f-xpx7-ffpw sigstore fulcio

💡 Result:

Summary: GHSA-f83f-xpx7-ffpw (CVE-2025-66506) is a high-severity resource-exhaustion vulnerability in Sigstore Fulcio where identity.extractIssuerURL can allocate excessive memory when parsing a malicious OIDC token (DoS/amplification). It affects Fulcio <= 1.8.2 and is fixed in 1.8.3. Mitigation: upgrade Fulcio to v1.8.3 (or later). See the GitHub advisory and fix commit for details. [1][2][3]

Sources

  • Sigstore GitHub security advisory and fix commit. [1]
  • OSV / package-vuln entries (CVE-2025-66506 / GO-2025-4193) confirming affected range and fix. [2][3]

🌐 Web query:

sigstore/fulcio v1.6.6 security vulnerability

💡 Result:

Short answer: Yes — fulcio v1.6.6 is affected by a high-severity vulnerability (CVE-2025-66506) that allows excessive memory allocation during token parsing. Upgrade to fulcio >= 1.8.3 to fix it. [1][2][3]

Details & actions:

  • Vulnerability: excessive allocations in identity.extractIssuerURL when parsing untrusted OIDC tokens (can be triggered remotely). Published as CVE-2025-66506 on Dec 4, 2025. [1][3]
  • Affected versions: fulcio < 1.8.3 (includes v1.6.6). [1][3]
  • Fix: upgrade to fulcio v1.8.3 or later. [2][4]

Sources:
[1] CVE summary (CVE-2025-66506) — CVE/ security aggregation.
[2] sigstore/fulcio releases (GitHub).
[3] Snyk advisory for the vuln (SNYK-GOLANG-GITHUBCOMSIGSTOREFULCIOPKGIDENTITY-14220411).

🏁 Script executed:

#!/bin/bash
# Check Go module information for sigstore/fulcio
curl -s 'https://pkg.go.dev/api/packages/github.com/sigstore/fulcio' | jq '.Versions[0:10] | .[] | {Path, Version, CommitTime}' 2>/dev/null || echo "pkg.go.dev unavailable"

# Try alternative: check GitHub API for releases
echo "=== GitHub Releases ==="
curl -s 'https://api.github.com/repos/sigstore/fulcio/releases?per_page=10' 2>/dev/null | jq '.[] | {tag_name, published_at, prerelease}' | head -30 || echo "GitHub API unavailable"

Repository: openshift/oc

Length of output: 654

⚠️ Critical: sigstore/fulcio v1.6.6 has a documented HIGH severity vulnerability (CVE-2025-66506).

The version being bumped (v1.6.6) is affected by a memory exhaustion vulnerability in token parsing (GO-2025-4193 / GHSA-f83f-xpx7-ffpw). This contradicts the PR's objective to address CVEs.

Update to sigstore/fulcio v1.8.3 or later (v1.8.4 is the latest stable release). All versions before v1.8.3 are vulnerable to this remote-triggerable DoS attack.

🧰 Tools
🪛 OSV Scanner (2.3.1)

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

(GO-2025-4193)

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing

(GHSA-f83f-xpx7-ffpw)

🤖 Prompt for AI Agents 
In go.mod around line 178, the dependency github.com/sigstore/fulcio is pinned
to v1.6.6 which is vulnerable (CVE-2025-66506); update the module requirement to
a fixed release (at least v1.8.3, preferably v1.8.4). Edit go.mod to replace the
version with v1.8.4 (or v1.8.3+) and then run `go get
github.com/sigstore/fulcio@v1.8.4` followed by `go mod tidy` and run tests/build
to ensure no breakage.

github.com/sigstore/protobuf-specs v0.4.1 // indirect
github.com/sigstore/sigstore v1.9.5 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/stretchr/testify v1.11.1 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/otel/trace v1.35.0 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.38.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/protobuf v1.36.10 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
Expand Down
Loading