🔐 Security Vulnerability Fixes

✅ This pull request was created and verified by Backline to fix security vulnerabilities in your dependencies.

📦 Package Updates & Vulnerability Fixes

github.com/gin-gonic/gin

v1.6.3 → v1.9.1

• 🟧 CVE-2020-28483 - gin: HTTP response splitting.
• 🟨 CVE-2023-26125 - golang-github-gin-gonic-gin: Improper Input Validation.
• 🟨 CVE-2023-29401 - golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function.

github.com/sirupsen/logrus

v1.6.0 → v1.8.3

• 🟧 CVE-2025-65637 - github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload.

golang.org/x/crypto

v0.1.0 → v0.39.0 (Recommended: <= 0.45.0)

• 🟥 CVE-2024-45337 - golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto.
• 🟧 CVE-2025-22869 - golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh.
• 🟨 CVE-2023-48795 - ssh: Prefix truncation attack on Binary Packet Protocol (BPP).
• 🟨 CVE-2025-47914 - golang.org/x/crypto/ssh/agent: in golang.org/x/crypto/ssh/agent.
• 🟨 CVE-2025-58181 - golang.org/x/crypto/ssh: in golang.org/x/crypto/ssh.

golang.org/x/net

v0.8.0 → v0.38.0 (Recommended: <= 0.38.0)

• 🟧 CVE-2023-39325 - golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487).
• 🟨 CVE-2023-3978 - golang.org/x/net/html: Cross site scripting.
• 🟨 CVE-2023-44487 - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack).
• 🟨 CVE-2023-45288 - golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS.
• 🟨 CVE-2025-22870 - golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
• 🟨 CVE-2025-22872 - golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net.

google.golang.org/protobuf

v1.28.1 → v1.33.0 (Recommended: <= 1.33.0)

• 🟨 CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON.

^{Legend: 🟥 Critical | 🟧 High | 🟨 Medium | 🟦 Low}

⚠️ Breaking Change Notice

** version upgrade to 1.24.0**
Please review the following before merging:

• 🔧 Local Development: Update your local installation to 1.24.0
• 🚀 CI/CD Pipeline: Verify build pipelines and Docker images use 1.24.0
• 📋 Dependencies: Ensure all build tools are compatible with the new version

Backline is here to help accelerate the remediation of your security backlog. Here's how we operate:

📥 Fetch Findings – Gather security issues
🔍 Analyze Findings – Understand the context and impact
📝 Plan Remediation – Generate a safe and effective fix strategy
👷 Apply Fix – Implement the remediation in code
🧪 Validate Code – Ensure the changes maintain code quality and integrity
✅ Verify – Run tests to ensure correctness and stability