v0.30.2 (current latest) pins golang.org/x/crypto v0.49.0 and golang.org/x/net v0.52.0, which our OSS vulnerability scanner flags with several security advisories. Downstream FIPS rebuilds must currently force-bump these before execution.
Our scans indicate the pinned versions are vulnerable to the following:
golang.org/x/crypto (v0.49.0): Vulnerable to CVE-2026-39829 (CPU Denial of Service via pathological RSA/DSA parameters during public key verification).
golang.org/x/net (v0.52.0): Vulnerable to CVE-2026-42506 (XSS due to incorrect handling of namespaced elements in foreign content).
Please update go.mod to the current versions—golang.org/x/crypto (≥ v0.53.0, which step-issuer v0.11.0 already ships) and golang.org/x/net (≥ v0.56.0)—and cut a patch release so downstream consumers can drop manual go get remediations.
Steps to reproduce.
go get golang.org/x/crypto@v0.53.0
go get golang.org/x/net@v0.56.0
go mod tidy
v0.30.2 (current latest) pins golang.org/x/crypto v0.49.0 and golang.org/x/net v0.52.0, which our OSS vulnerability scanner flags with several security advisories. Downstream FIPS rebuilds must currently force-bump these before execution.
Our scans indicate the pinned versions are vulnerable to the following:
golang.org/x/crypto (v0.49.0): Vulnerable to CVE-2026-39829 (CPU Denial of Service via pathological RSA/DSA parameters during public key verification).
golang.org/x/net (v0.52.0): Vulnerable to CVE-2026-42506 (XSS due to incorrect handling of namespaced elements in foreign content).
Please update go.mod to the current versions—golang.org/x/crypto (≥ v0.53.0, which step-issuer v0.11.0 already ships) and golang.org/x/net (≥ v0.56.0)—and cut a patch release so downstream consumers can drop manual go get remediations.
Steps to reproduce.
go get golang.org/x/crypto@v0.53.0
go get golang.org/x/net@v0.56.0
go mod tidy