Skip to content

fix(deps): vuln minor upgrades — 14 packages (minor: 9 · patch: 5) #93

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778178582
Draft

fix(deps): vuln minor upgrades — 14 packages (minor: 9 · patch: 5) #93
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/0-1778178582

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented May 7, 2026

Summary: Critical-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
github.com/jackc/pgx/v5 v5.7.4 v5.9.2 minor Transitive 4 CRITICAL, 1 LOW
google.golang.org/grpc v1.72.2 v1.81.0 minor Direct 3 CRITICAL
github.com/opencontainers/runc v1.2.6 v1.4.2 minor Transitive 9 HIGH
go.opentelemetry.io/otel/sdk v1.35.0 v1.43.0 minor Direct 4 HIGH
github.com/dvsekhvalnov/jose2go v1.6.0 v1.8.0 minor Transitive 3 HIGH
github.com/go-jose/go-jose/v3 v3.0.4 v3.0.5 patch Direct 1 HIGH
github.com/go-jose/go-jose/v4 v4.1.0 v4.1.4 patch Transitive 1 HIGH
github.com/microsoft/kiota-http-go v1.5.2 v1.5.6 patch Transitive 1 HIGH
github.com/go-git/go-git/v5 v5.14.0 v5.18.0 minor Direct 5 MODERATE, 2 MEDIUM, 3 LOW
github.com/go-viper/mapstructure/v2 v2.1.0 v2.5.0 minor Transitive 3 MODERATE, 2 MEDIUM
github.com/aws/aws-sdk-go v1.55.7 v1.55.8 patch Direct 2 MODERATE, 2 LOW
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 v1.7.10 minor Transitive 1 MODERATE
github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 v1.100.1 minor Transitive 1 MODERATE
filippo.io/edwards25519 v1.1.0 v1.1.1 patch Transitive 3 LOW

Security Details

🚨 Critical & High Severity (26 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/jackc/pgx/v5 GHSA-xgrm-4fwx-7qm8 CRITICAL pgx contains memory-safety vulnerability v5.7.4 -
github.com/jackc/pgx/v5 GO-2026-4772 CRITICAL CVE-2026-33816 in github.com/jackc/pgx v5.7.4 5.9.0
github.com/jackc/pgx/v5 GO-2026-4771 CRITICAL CVE-2026-33815 in github.com/jackc/pgx v5.7.4 5.9.0
github.com/jackc/pgx/v5 GHSA-9jj7-4m8r-rfcm CRITICAL Memory-safety vulnerability in github.com/jackc/pgx/v5. v5.7.4 5.9.0
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.72.2 1.79.3
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.2 -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.72.2 1.79.3
github.com/dvsekhvalnov/jose2go CVE-2025-63811 HIGH - v1.6.0 -
github.com/dvsekhvalnov/jose2go GO-2025-4123 HIGH Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token high compression ratio in github.com/dvsekhvalnov/jose2go v1.6.0 1.7.0
github.com/dvsekhvalnov/jose2go GHSA-9mj6-hxhv-w67j HIGH jose2go is vulnerable to a JWT bomb attack through its decode function v1.6.0 1.7.0
github.com/go-jose/go-jose/v3 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v3.0.4 3.0.5
github.com/go-jose/go-jose/v4 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v4.1.0 4.1.4
github.com/microsoft/kiota-http-go GHSA-7j59-v9qr-6fq9 HIGH Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect v1.5.2 1.5.5
github.com/opencontainers/runc GHSA-qw9x-cqr3-wc7r HIGH runc container escape with malicious config due to /dev/console mount and related races v1.2.6 1.2.8
github.com/opencontainers/runc CVE-2025-52565 high container escape due to /dev/console mount and related races v1.2.6 -
github.com/opencontainers/runc GO-2025-4096 high Container escape via "masked path" abuse due to mount race conditions in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc GHSA-9493-h29p-rfm2 HIGH runc container escape via "masked path" abuse due to mount race conditions v1.2.6 1.2.8
github.com/opencontainers/runc GO-2025-4097 high Container escape with malicious config due to /dev/console mount and related races in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc CVE-2025-31133 high runc container escape via "masked path" abuse due to mount race conditions v1.2.6 -
github.com/opencontainers/runc CVE-2025-52881 HIGH runc: LSM labels can be bypassed with malicious config using dummy procfs files v1.2.6 -
github.com/opencontainers/runc GO-2025-4098 HIGH Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc v1.2.6 1.2.8
github.com/opencontainers/runc GHSA-cgrx-mc8f-2prm HIGH runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects v1.2.6 1.2.8
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.35.0 -
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.35.0 1.43.0
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.35.0 1.40.0
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.35.0 1.40.0
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/go-git/go-git/v5 CVE-2026-25934 medium go-git improperly verifies data integrity values for .idx and .pack files v5.14.0 -
github.com/go-git/go-git/v5 GO-2026-4473 medium Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git v5.14.0 5.16.5
github.com/go-viper/mapstructure/v2 GO-2025-3900 medium Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure v2.1.0 2.4.0
github.com/go-viper/mapstructure/v2 CVE-2025-11065 medium - v2.1.0 -
github.com/aws/aws-sdk-go GHSA-f5pg-7wfw-84q9 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang v1.55.7 1.34.0
github.com/aws/aws-sdk-go GO-2022-0646 MODERATE CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.7 -
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream GHSA-xmrv-pmrh-hhx2 MODERATE Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder v1.6.2 1.7.8
github.com/aws/aws-sdk-go-v2/service/s3 GHSA-xmrv-pmrh-hhx2 MODERATE Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder v1.53.1 1.97.3
github.com/go-git/go-git/v5 GHSA-37cx-329c-33x3 MODERATE go-git improperly verifies data integrity values for .idx and .pack files v5.14.0 5.16.5
github.com/go-git/go-git/v5 GHSA-3xc5-wrhm-f963 MODERATE go-git: Credential leak via cross-host redirect in smart HTTP transport v5.14.0 5.18.0
github.com/go-git/go-git/v5 GHSA-jhf3-xxhw-2wpp MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.14.0 5.17.1
github.com/go-git/go-git/v5 CVE-2026-34165 MODERATE go-git: Maliciously crafted idx file can cause asymmetric memory consumption v5.14.0 -
github.com/go-git/go-git/v5 GO-2026-4910 MODERATE Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git v5.14.0 5.17.1
github.com/go-viper/mapstructure/v2 GHSA-fv92-fjc5-jj9h MODERATE mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.1.0 2.3.0
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm MODERATE go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data v2.1.0 2.4.0
github.com/go-viper/mapstructure/v2 GO-2025-3787 MODERATE May leak sensitive information in logs when processing malformed data in github.com/go-viper/mapstructure v2.1.0 2.3.0
filippo.io/edwards25519 GO-2026-4503 low Invalid result or undefined behavior in filippo.io/edwards25519 v1.1.0 1.1.1
filippo.io/edwards25519 CVE-2026-26958 low filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity v1.1.0 -
filippo.io/edwards25519 GHSA-fw7p-63qq-7hpr LOW filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity v1.1.0 1.1.1
github.com/aws/aws-sdk-go GHSA-7f33-f4f5-xwgw LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang v1.55.7 1.34.0
github.com/aws/aws-sdk-go GO-2022-0635 LOW In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go v1.55.7 -
github.com/go-git/go-git/v5 CVE-2026-33762 LOW go-git: Missing validation decoding Index v4 files leads to panic v5.14.0 -
github.com/go-git/go-git/v5 GHSA-gm2x-2g9h-ccm8 LOW go-git missing validation decoding Index v4 files leads to panic v5.14.0 5.17.1
github.com/go-git/go-git/v5 GO-2026-4909 LOW Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git v5.14.0 5.17.1
github.com/jackc/pgx/v5 GHSA-j88v-2chj-qfwx LOW pgx: SQL Injection via placeholder confusion with dollar quoted string literals v5.7.4 5.9.2

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-custom-action-failed adms-dependency-update adms-go adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants