Skip to content

VULN UPGRADE: minor upgrades — 6 packages (minor: 4 · patch: 2) #12

Closed
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1770993322
Closed

VULN UPGRADE: minor upgrades — 6 packages (minor: 4 · patch: 2) #12
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/go/0-1770993322

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Feb 13, 2026

Summary: Critical-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

Updates

Package From To Type Vulnerabilities Fixed
github.com/hashicorp/vault v1.16.3 v1.21.3 minor 3 CRITICAL, 18 HIGH, 17 MODERATE, 4 MEDIUM, 6 LOW
cloud.google.com/go/storage v1.42.0 v1.59.2 minor -
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 v1.18.17 minor -
gopkg.in/DataDog/dd-trace-go.v1 v1.64.0 v1.74.8 minor -
github.com/gorilla/mux v1.8.0 v1.8.1 patch -
go.uber.org/zap v1.27.0 v1.27.1 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (21 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/hashicorp/vault GHSA-mr4h-qf9j-f665 CRITICAL Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration v1.16.3 1.20.1
github.com/hashicorp/vault GO-2025-3838 CRITICAL Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-6000 CRITICAL - v1.16.3 -
github.com/hashicorp/vault GO-2024-3162 high Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault v1.16.3 1.17.6
github.com/hashicorp/vault CVE-2024-7594 high - v1.16.3 -
github.com/hashicorp/vault CVE-2025-11621 HIGH - v1.16.3 -
github.com/hashicorp/vault GHSA-9g4h-h484-3578 HIGH HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass v1.16.3 1.21.0
github.com/hashicorp/vault GO-2024-3246 HIGH Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault v1.16.3 1.18.1
github.com/hashicorp/vault CVE-2024-8185 HIGH - v1.16.3 -
github.com/hashicorp/vault GHSA-g233-2p4r-3q7v HIGH Hashicorp Vault vulnerable to denial of service through memory exhaustion v1.16.3 1.18.1
github.com/hashicorp/vault CVE-2025-6203 high - v1.16.3 -
github.com/hashicorp/vault GHSA-8f82-53h8-2p34 HIGH HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads v1.16.3 1.20.3
github.com/hashicorp/vault GO-2025-3924 high HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault v1.16.3 1.20.3
github.com/hashicorp/vault CVE-2024-9180 high - v1.16.3 -
github.com/hashicorp/vault GHSA-rr8j-7w34-xp5j HIGH Vault Community Edition privilege escalation vulnerability v1.16.3 1.18.0
github.com/hashicorp/vault GO-2024-3191 high Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault v1.16.3 1.18.0
github.com/hashicorp/vault CVE-2025-5999 HIGH - v1.16.3 -
github.com/hashicorp/vault GO-2025-3837 HIGH Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault v1.16.3 1.20.0
github.com/hashicorp/vault GO-2025-4070 HIGH HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault v1.16.3 1.21.0
github.com/hashicorp/vault GHSA-jg74-mwgw-v6x3 HIGH Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default v1.16.3 1.17.6
github.com/hashicorp/vault GHSA-6h4p-m86h-hhgh HIGH Hashicorp Vault has Privilege Escalation Vulnerability v1.16.3 1.20.0
ℹ️ Other Vulnerabilities (27)
Package CVE Severity Summary Unsafe Version Fixed In
github.com/hashicorp/vault CVE-2025-6014 medium - v1.16.3 -
github.com/hashicorp/vault GO-2025-3841 medium Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-4166 medium - v1.16.3 -
github.com/hashicorp/vault GO-2025-3663 medium Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault v1.16.3 1.19.3
github.com/hashicorp/vault CVE-2025-6004 MODERATE - v1.16.3 -
github.com/hashicorp/vault GHSA-gcqf-f89c-68hv MODERATE Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information v1.16.3 1.19.3
github.com/hashicorp/vault GHSA-qgj7-fmq2-6cc4 MODERATE Hashicorp Vault has Lockout Feature Authentication Bypass v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-6015 MODERATE - v1.16.3 -
github.com/hashicorp/vault GO-2025-3840 MODERATE Hashicorp Vault has Lockout Feature Authentication Bypass in github.com/hashicorp/vault v1.16.3 1.20.1
github.com/hashicorp/vault GHSA-v6r4-35f9-9rpw MODERATE Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability v1.16.3 1.20.1
github.com/hashicorp/vault GO-2025-3662 MODERATE Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault v1.16.3 1.19.1
github.com/hashicorp/vault GHSA-qv3p-fmv3-9hww MODERATE Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-3879 MODERATE - v1.16.3 -
github.com/hashicorp/vault GHSA-f9ch-h8j7-8jwg MODERATE Hashicorp Vault Community vulnerable to Incorrect Authorization v1.16.3 1.19.1
github.com/hashicorp/vault GO-2025-3836 MODERATE Hashicorp Vault has Incorrect Validation for Non-CA Certificates in github.com/hashicorp/vault v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-6037 MODERATE - v1.16.3 -
github.com/hashicorp/vault GHSA-6c5r-4wfc-3mcx MODERATE Hashicorp Vault has Incorrect Validation for Non-CA Certificates v1.16.3 1.20.1
github.com/hashicorp/vault GO-2025-3848 MODERATE HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault v1.16.3 1.20.2
github.com/hashicorp/vault CVE-2025-6013 MODERATE - v1.16.3 -
github.com/hashicorp/vault GHSA-7rx2-769v-hrwf MODERATE HashiCorp Vault ldap auth method may not have correctly enforced MFA v1.16.3 1.20.2
github.com/hashicorp/vault GO-2025-3842 MODERATE Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault v1.16.3 1.20.1
github.com/hashicorp/vault GHSA-mwgr-84fv-3jh9 LOW Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users v1.16.3 1.20.1
github.com/hashicorp/vault CVE-2025-6011 LOW - v1.16.3 -
github.com/hashicorp/vault GHSA-fhc2-8qx8-6vj7 LOW Vault Community Edition rekey and recovery key operations can cause denial of service v1.16.3 1.20.0
github.com/hashicorp/vault CVE-2025-4656 low - v1.16.3 -
github.com/hashicorp/vault GO-2025-3788 low Vault Community Edition rekey and recovery key operations can cause denial of service in github.com/hashicorp/vault v1.16.3 1.20.0
github.com/hashicorp/vault GO-2025-3839 LOW Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault v1.16.3 1.20.1
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
github.com/gorilla/mux v1.8.0 - v1.8.1 go.mod

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot closed this Mar 8, 2026
@campaigner-prod campaigner-prod bot deleted the engraver-auto-version-upgrade/minorpatch/go/0-1770993322 branch March 8, 2026 14:19
@DataDog DataDog deleted a comment from dd-prapprover bot Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-go adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants