Skip to content

Patch CVE-2025-61729 in Go proxy#710

Merged
amir-yogev-gh merged 1 commit into
flightctl:mainfrom
amir-yogev-gh:cve-fix/CVE-2025-61729
Jun 29, 2026
Merged

Patch CVE-2025-61729 in Go proxy#710
amir-yogev-gh merged 1 commit into
flightctl:mainfrom
amir-yogev-gh:cve-fix/CVE-2025-61729

Conversation

@amir-yogev-gh

@amir-yogev-gh amir-yogev-gh commented Jun 29, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

CVE Fix

Vulnerabilities Addressed

CVE ID Severity Package Old Version New Version
CVE-2025-61729 HIGH (CVSS 7.5) Go stdlib crypto/x509 go 1.24.0 / toolchain go1.25.8 go 1.25.0 / toolchain go1.25.9

Description

CVE-2025-61729 is a Denial of Service vulnerability in Go's crypto/x509 package. A malicious X.509 certificate with a large number of Subject Alternative Names causes quadratic runtime in HostnameError.Error(), leading to CPU/memory exhaustion. Fixed in Go 1.24.11 and Go 1.25.5+.

The proxy/ component directly imports crypto/x509 and crypto/tls, making it susceptible.

Strategy Justification

CVE-2025-61729 — Go crypto/x509

# Strategy Result Details
1 Direct update (minor) Success Bumped Go version to go 1.25.0 / toolchain go1.25.9 in proxy/go.mod (matching backend)

Changes

  • proxy/go.mod: Updated go directive from 1.24.0 to 1.25.0, toolchain from go1.25.8 to go1.25.9

Validation

  • Dependencies: Updated to fixed version (go1.25.9 >= fix threshold go1.25.5)
  • Vulnerability scan: govulncheck binary scan confirms CVE-2025-61729 is not present
  • Tests: Pre-existing failure in auth/redirect_test.go (unrelated to this change)

Rollback

To revert this change:

git revert <commit-sha>

Updated proxy/ (Go auth proxy) to patch HIGH-severity CVE-2025-61729 in Go’s crypto/x509 by bumping proxy/go.mod from go 1.24.0go 1.25.0 and the toolchain from go1.25.8go1.25.9. This change is confined to the Go proxy; it does not affect shared UI components (libs/ui-components/), shared types/i18n (libs/types/, libs/i18n/), Cypress E2E (libs/cypress/), platform-specific app code (apps/standalone/, apps/ocp-plugin/), packaging, or CI configuration (.github/workflows/). Validation includes a govulncheck scan confirming the CVE is not present after the update, noting an unrelated pre-existing test failure in auth/redirect_test.go.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 6d825abe-bf5e-44c1-9322-9d72a72568a0

📥 Commits

Reviewing files that changed from the base of the PR and between f8ac048 and d036294.

📒 Files selected for processing (1)
  • proxy/go.mod

Walkthrough

The proxy/go.mod file updates the go directive from 1.24.0 to 1.25.0 and the toolchain directive from go1.25.8 to go1.25.9.

Changes

Go Toolchain Version Bump

Layer / File(s) Summary
Go directive and toolchain update
proxy/go.mod		 go directive updated from 1.24.0 to 1.25.0; toolchain updated from go1.25.8 to go1.25.9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

proxy

Poem

Two little lines in go.mod reside,
A version ticks up, the toolchain its guide.
From 1.24 to 1.25 we climb,
go1.25.9 keeping pace with time.
Small change, swift step — onward we stride! 🚀

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Generated-Files-Not-Hand-Edited ⚠️ Warning libs/i18n/locales/en/translation.json is a generated file and it was modified in the PR diff. Regenerate the i18n catalog with npm run i18n and commit the generated output instead of editing translation.json by hand.
I18n-Compliance ⚠️ Warning CreateAuthProviderForm.tsx adds raw aria-label="Enabled help text" in JSX instead of t(...), violating the i18n rule. Wrap the label in t('Enabled help text') (or an equivalent translation key) so all user-visible TSX strings are localized.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: patching CVE-2025-61729 in the Go proxy.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets ✅ Passed proxy/go.mod only changes Go/toolchain versions; no API keys, tokens, passwords, private keys, or embedded creds are present.
No-Weak-Crypto ✅ Passed PR only bumps proxy/go.mod; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, custom crypto, or non-constant-time secret comparisons.
No-Injection-Vectors ✅ Passed Only proxy/go.mod changed; no code paths or unsafe APIs (eval/exec/innerHTML/yaml.load) were introduced.
Container-Privileges ✅ Passed PR only changes proxy/go.mod; no container/K8s manifest changes or privileged settings (privileged, hostPID/network/IPC, allowPrivilegeEscalation, SYS_ADMIN) were found.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The PR only updates proxy/go.mod (Go/toolchain versions); no logging code or log-message changes that could expose secrets were introduced.
Resource-Leaks ✅ Passed PASS: proxy/ Go sources close files/HTTP bodies, and the only goroutines in terminal.go terminate via errc + conn closes; no resource leaks found.
Unchecked-Errors ✅ Passed The PR only updates proxy/go.mod; no Go source files were changed, so it introduces no new unchecked-error ignores in proxy/.
Ai-Attribution ✅ Passed PASS: HEAD commit uses the acceptable Assisted-by trailer for Claude and contains no Co-Authored-By trailer.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

Comment @coderabbitai help to get the list of available commands.

@amir-yogev-gh amir-yogev-gh marked this pull request as ready for review June 29, 2026 12:17
@amir-yogev-gh amir-yogev-gh requested a review from celdrake June 29, 2026 12:17
@amir-yogev-gh amir-yogev-gh force-pushed the cve-fix/CVE-2025-61729 branch from e25c152 to f8ac048 Compare June 29, 2026 13:55
@amir-yogev-gh
Patch CVE-2025-61729 by updating Go to 1.25.9
d036294 
Resolves CVE-2025-61729 (HIGH) in Go stdlib crypto/x509.
Updated Go from 1.24.0 (toolchain 1.25.8) to 1.25.0 (toolchain 1.25.9)
in proxy/go.mod, matching the backend repository.

Assisted-by: Claude <noreply@anthropic.com>
@amir-yogev-gh amir-yogev-gh force-pushed the cve-fix/CVE-2025-61729 branch from f8ac048 to d036294 Compare June 29, 2026 14:06
@amir-yogev-gh amir-yogev-gh merged commit db350a1 into flightctl:main Jun 29, 2026
10 checks passed
@amir-yogev-gh amir-yogev-gh deleted the cve-fix/CVE-2025-61729 branch June 29, 2026 14:24
@coderabbitai coderabbitai Bot mentioned this pull request Jun 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@celdrake celdrake celdrake approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amir-yogev-gh @celdrake