Patch CVE-2025-61729 in Go proxy

[amir-yogev-gh]

CVE Fix

Vulnerabilities Addressed

CVE ID	Severity	Package	Old Version	New Version
CVE-2025-61729	HIGH (CVSS 7.5)	Go stdlib crypto/x509	go 1.24.0 / toolchain go1.25.8	go 1.25.0 / toolchain go1.25.9

Description

CVE-2025-61729 is a Denial of Service vulnerability in Go's crypto/x509 package. A malicious X.509 certificate with a large number of Subject Alternative Names causes quadratic runtime in HostnameError.Error(), leading to CPU/memory exhaustion. Fixed in Go 1.24.11 and Go 1.25.5+.

The proxy/ component directly imports crypto/x509 and crypto/tls, making it susceptible.

Strategy Justification

CVE-2025-61729 — Go crypto/x509

#	Strategy	Result	Details
1	Direct update (minor)	Success	Bumped Go version to go 1.25.0 / toolchain go1.25.9 in proxy/go.mod (matching backend)

Changes

• proxy/go.mod: Updated go directive from 1.24.0 to 1.25.0, toolchain from go1.25.8 to go1.25.9

Validation

• Dependencies: Updated to fixed version (go1.25.9 >= fix threshold go1.25.5)
• Vulnerability scan: govulncheck binary scan confirms CVE-2025-61729 is not present
• Tests: Pre-existing failure in auth/redirect_test.go (unrelated to this change)

Rollback

To revert this change:

git revert <commit-sha>

Updated proxy/ (Go auth proxy) to patch HIGH-severity CVE-2025-61729 in Go’s crypto/x509 by bumping proxy/go.mod from go 1.24.0 → go 1.25.0 and the toolchain from go1.25.8 → go1.25.9. This change is confined to the Go proxy; it does not affect shared UI components (libs/ui-components/), shared types/i18n (libs/types/, libs/i18n/), Cypress E2E (libs/cypress/), platform-specific app code (apps/standalone/, apps/ocp-plugin/), packaging, or CI configuration (.github/workflows/). Validation includes a govulncheck scan confirming the CVE is not present after the update, noting an unrelated pre-existing test failure in auth/redirect_test.go.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 6d825abe-bf5e-44c1-9322-9d72a72568a0

📥 Commits

Reviewing files that changed from the base of the PR and between f8ac048 and d036294.

📒 Files selected for processing (1)

• proxy/go.mod

---

Walkthrough

The proxy/go.mod file updates the go directive from 1.24.0 to 1.25.0 and the toolchain directive from go1.25.8 to go1.25.9.

Changes

Go Toolchain Version Bump

Layer / File(s)	Summary
Go directive and toolchain update proxy/go.mod	go directive updated from 1.24.0 to 1.25.0; toolchain updated from go1.25.8 to go1.25.9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

proxy

Poem

Two little lines in go.mod reside,
A version ticks up, the toolchain its guide.
From 1.24 to 1.25 we climb,
go1.25.9 keeping pace with time.
Small change, swift step — onward we stride! 🚀

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Generated-Files-Not-Hand-Edited	⚠️ Warning	libs/i18n/locales/en/translation.json is a generated file and it was modified in the PR diff.	Regenerate the i18n catalog with npm run i18n and commit the generated output instead of editing translation.json by hand.
I18n-Compliance	⚠️ Warning	CreateAuthProviderForm.tsx adds raw aria-label="Enabled help text" in JSX instead of t(...), violating the i18n rule.	Wrap the label in t('Enabled help text') (or an equivalent translation key) so all user-visible TSX strings are localized.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: patching CVE-2025-61729 in the Go proxy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	proxy/go.mod only changes Go/toolchain versions; no API keys, tokens, passwords, private keys, or embedded creds are present.
No-Weak-Crypto	✅ Passed	PR only bumps proxy/go.mod; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, custom crypto, or non-constant-time secret comparisons.
No-Injection-Vectors	✅ Passed	Only proxy/go.mod changed; no code paths or unsafe APIs (eval/exec/innerHTML/yaml.load) were introduced.
Container-Privileges	✅ Passed	PR only changes proxy/go.mod; no container/K8s manifest changes or privileged settings (privileged, hostPID/network/IPC, allowPrivilegeEscalation, SYS_ADMIN) were found.
No-Sensitive-Data-In-Logs	✅ Passed	PASS: The PR only updates proxy/go.mod (Go/toolchain versions); no logging code or log-message changes that could expose secrets were introduced.
Resource-Leaks	✅ Passed	PASS: proxy/ Go sources close files/HTTP bodies, and the only goroutines in terminal.go terminate via errc + conn closes; no resource leaks found.
Unchecked-Errors	✅ Passed	The PR only updates proxy/go.mod; no Go source files were changed, so it introduces no new unchecked-error ignores in proxy/.
Ai-Attribution	✅ Passed	PASS: HEAD commit uses the acceptable Assisted-by trailer for Claude and contains no Co-Authored-By trailer.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands.}