Multiple CVEs reported by Trivy scan tool for v0.52.1 #967
Description
The listed CVEs for v0.52.0 includes HIGH.
@devanshuVmware Can you check and let us know when the new version with CVE fixes will be available? Our CI pipeline is currently blocked because of these issues.
Vulnerabilities Summary
/usr/local/bin/ytt (gobinary)
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 4, CRITICAL: 0)
| Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|---|
| stdlib | CVE-2025-58183 | HIGH | fixed | 1.24.6 | 1.24.8, 1.25.2 | golang: archive/tar: Unbounded allocation when parsing GNU sparse map |
| stdlib | CVE-2025-58186 | HIGH | fixed | 1.24.6 | 1.24.8, 1.25.2 | Despite HTTP headers having a default limit of 1MB, the number of headers can cause memory issues |
| stdlib | CVE-2025-58187 | HIGH | fixed | 1.24.6 | 1.24.9, 1.25.3 | Due to the design of the name constraint checking algorithm, invalid certificates may be accepted |
| stdlib | CVE-2025-58188 | HIGH | fixed | 1.24.6 | 1.24.8, 1.25.2 | Validating certificate chains containing DSA public keys can cause unexpected behavior |
| stdlib | CVE-2025-47912 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | net/url: Insufficient validation of bracketed IPv6 hostnames |
| stdlib | CVE-2025-58185 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | encoding/asn1: Parsing DER payload can cause memory exhaustion |
| stdlib | CVE-2025-58189 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | crypto/tls: ALPN negotiation error may contain attacker-controlled information |
| stdlib | CVE-2025-61723 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | encoding/pem: Quadratic complexity when parsing some invalid inputs |
| stdlib | CVE-2025-61724 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | net/textproto: Excessive CPU consumption in Reader.ReadResponse |
| stdlib | CVE-2025-61725 | MEDIUM | fixed | 1.24.6 | 1.24.8, 1.25.2 | net/mail: Excessive CPU consumption in ParseAddress |