Bump containerd/containerd to latest to address vulnerability CVE-2024-40635 / BDSA-2025-2173 #1489
Description
Hi Confluent team 👋,
Our project uses github.com/confluentinc/confluent-kafka-go/v2 v2.12.0, and during our Black Duck license/security scan, we identified a High Severity Security Policy Rule violation caused by a transitive dependency on containerd/containerd v1.7.18.
Black Duck Advisory: BDSA-2025-2173
CVE: CVE-2024-40635
🧩 Description
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4, where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer could cause an overflow condition, resulting in the container running as root (UID 0).
This may lead to unexpected behavior in environments that require containers to run as non-root users.
🧰 Suggested fix
Please update the dependency to a non-vulnerable version of containerd that includes the fix for this issue.
Example change in go.mod:
require (
github.com/containerd/containerd v1.7.27
)
🧠 Additional context
This vulnerability is officially tracked under CVE-2024-40635 and Black Duck Advisory BDSA-2025-2173.
Even if this dependency may not be directly invoked at runtime, many enterprise CI/CD security policies block builds with unresolved High severity findings.
Upgrading ensures compliance with security and SCA policies, and helps downstream consumers maintain a secure dependency chain.
🙏 Thanks
Thanks for maintaining this library — it’s an essential component in many production environments, and we appreciate your efforts to keep its dependencies secure and up to date.