Skip to content

fix: upgrade Go to 1.24.9 to address CVEs#1197

Closed
DaedalusG wants to merge 3 commits intomainfrom
wg/rel/fix-cves
Closed

fix: upgrade Go to 1.24.9 to address CVEs#1197
DaedalusG wants to merge 3 commits intomainfrom
wg/rel/fix-cves

Conversation

@DaedalusG
Copy link
Contributor

@DaedalusG DaedalusG commented Nov 11, 2025
edited
Loading

Addressing src-cli concern in https://sourcegraph.slack.com/archives/C05DWT4ANHH/p1762881342663879 by upgradeing go to minimum version that addresses vulns 1.24.9

Found the following vulns initially with govulncheck ./...

Details 
➜  src-cli git:(wg/rel/fix-cves) ✗ ~/go/bin/govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4013
    Panic when validating certificates with DSA public keys in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4013
  Standard library
    Found in: crypto/x509@go1.23.12
    Fixed in: crypto/x509@go1.24.8
    Example traces found:
      #1: internal/servegit/serve.go:41:54: servegit.Serve.Start calls http.Server.Serve, which eventually calls x509.Certificate.Verify

Vulnerability #2: GO-2025-4012
    Lack of limit when parsing cookies can cause memory exhaustion in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-4012
  Standard library
    Found in: net/http@go1.23.12
    Fixed in: net/http@go1.24.8
    Example traces found:
      #1: internal/users/admin.go:271:36: users.Client.GraphQL calls http.Client.Do
      #2: cmd/src/snapshot_upload.go:208:34: src.createGcsClient calls storage.NewClient, which eventually calls http.Client.PostForm
      #3: internal/users/admin.go:86:23: users.NewClient calls http.Get
      #4: internal/users/admin.go:99:37: users.NewClient calls http.Response.Cookies

Vulnerability #3: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.23.12
    Fixed in: encoding/asn1@go1.24.8
    Example traces found:
      #1: internal/batches/docker/image.go:144:21: docker.image.UIDGID calls sync.Once.Do, which eventually calls asn1.Unmarshal

Vulnerability #4: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.23.12
    Fixed in: net/url@go1.24.8
    Example traces found:
      #1: internal/codeintel/gitutil.go:34:26: codeintel.parseRemote calls url.Parse
      #2: internal/servegit/serve.go:41:54: servegit.Serve.Start calls http.Server.Serve, which eventually calls url.ParseRequestURI
      #3: internal/users/admin.go:271:36: users.Client.GraphQL calls http.Client.Do, which eventually calls url.URL.Parse

Vulnerability #5: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.23.12
    Fixed in: encoding/pem@go1.24.8
    Example traces found:
      #1: internal/scout/kube/kube.go:309:44: kube.GetStorageUsage calls remotecommand.NewSPDYExecutor, which eventually calls pem.Decode

Vulnerability #6: GO-2025-4008
    ALPN negotiation error contains attacker controlled information in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2025-4008
  Standard library
    Found in: crypto/tls@go1.23.12
    Fixed in: crypto/tls@go1.24.8
    Example traces found:
      #1: internal/pgdump/pgdump_sql_filter.go:121:32: pgdump.FilterInvalidLines calls storage.Writer.Write, which eventually calls tls.Conn.Handshake
      #2: internal/servegit/serve.go:41:54: servegit.Serve.Start calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #3: internal/users/admin.go:277:24: users.Client.GraphQL calls io.ReadAll, which eventually calls tls.Conn.Read
      #4: internal/batches/service/service.go:463:13: service.duplicateBranchesErr.Error calls fmt.Fprintf, which calls tls.Conn.Write
      #5: internal/users/admin.go:271:36: users.Client.GraphQL calls http.Client.Do, which eventually calls tls.Dialer.DialContext

Vulnerability #7: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.23.12
    Fixed in: crypto/x509@go1.24.9
    Example traces found:
      #1: internal/scout/kube/kube.go:309:44: kube.GetStorageUsage calls remotecommand.NewSPDYExecutor, which eventually calls x509.CertPool.AppendCertsFromPEM
      #2: internal/servegit/serve.go:41:54: servegit.Serve.Start calls http.Server.Serve, which eventually calls x509.Certificate.Verify
      #3: internal/batches/docker/image.go:144:21: docker.image.UIDGID calls sync.Once.Do, which eventually calls x509.ParseCertificate
      #4: internal/scout/kube/kube.go:309:44: kube.GetStorageUsage calls remotecommand.NewSPDYExecutor, which eventually calls x509.ParseECPrivateKey
      #5: internal/scout/kube/kube.go:309:44: kube.GetStorageUsage calls remotecommand.NewSPDYExecutor, which eventually calls x509.ParsePKCS1PrivateKey
      #6: internal/scout/kube/kube.go:309:44: kube.GetStorageUsage calls remotecommand.NewSPDYExecutor, which eventually calls x509.ParsePKCS8PrivateKey
      #7: internal/batches/docker/image.go:144:21: docker.image.UIDGID calls sync.Once.Do, which eventually calls x509.ParsePKIXPublicKey

Vulnerability #8: GO-2025-4006
    Excessive CPU consumption in ParseAddress in net/mail
  More info: https://pkg.go.dev/vuln/GO-2025-4006
  Standard library
    Found in: net/mail@go1.23.12
    Fixed in: net/mail@go1.24.8
    Example traces found:
      #1: internal/batches/service/service.go:478:40: service.Service.ParseBatchSpec calls batches.ParseBatchSpec, which eventually calls mail.ParseAddress

Your code is affected by 8 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 1 vulnerability
in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

Test plan

built locally, reran govulncheck ./...

keegancsmith
keegancsmith reviewed Nov 11, 2025
View reviewed changes
Copy link
Member

@keegancsmith keegancsmith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI you probably want to update the workflow files as well. This does work, but then each github action will download the relevant go toolchain since this go directive is a higher version.

Also while we are here, use the latest: 1.25.4

@keegancsmith
Copy link
Member

keegancsmith commented Nov 11, 2025

FYI #1198 will make it so you only need to update .tool-versions to get all CI workflows using that version.

@DaedalusG DaedalusG enabled auto-merge (squash) November 11, 2025 21:17
@DaedalusG DaedalusG disabled auto-merge November 11, 2025 21:18
@DaedalusG
Copy link
Contributor Author

DaedalusG commented Nov 12, 2025

Closing in light of https://sourcegraph.slack.com/archives/C05DWT4ANHH/p1762897452332459?thread_ts=1762881342.663879&cid=C05DWT4ANHH

@DaedalusG DaedalusG closed this Nov 12, 2025
@keegancsmith keegancsmith deleted the wg/rel/fix-cves branch November 12, 2025 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keegancsmith keegancsmith keegancsmith approved these changes

@burmudar burmudar Awaiting requested review from burmudar

@andreeleuterio andreeleuterio Awaiting requested review from andreeleuterio

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaedalusG @keegancsmith