x/vulndb: potential Go vuln in github.com/zalando/skipper: GHSA-cc8m-98fm-rc9g

Advisory [GHSA-cc8m-98fm-rc9g](https://github.com/advisories/GHSA-cc8m-98fm-rc9g) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/zalando/skipper](https://pkg.go.dev/github.com/zalando/skipper) |

Description:
### Impact

Arbitrary code execution through [lua filters](https://opensource.zalando.com/skipper/reference/scripts/).

The default skipper configuration before v0.23 was `-lua-sources=inline,file`. 
The problem starts if untrusted users can create lua filters, because of `-lua-sources=inline` , for example through a Kubernetes Ingress resource. The configuration `inline` allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets.

Kubernetes example (vulnerability is not li...

References:
- ADVISORY: https://github.com/advisories/GHSA-cc8m-98fm-rc9g
- ADVISORY: https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2026-23742
- FIX: https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714
- WEB: https://github.com/zalando/skipper/releases/tag/v0.23.0

Cross references:
- github.com/zalando/skipper appears in 2 other report(s):
  - data/reports/GO-2022-0494.yaml    (https://github.com/golang/vulndb/issues/494)
  - data/reports/GO-2022-1086.yaml    (https://github.com/golang/vulndb/issues/1086)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/zalando/skipper
      versions:
        - fixed: 0.23.0
      vulnerable_at: 0.22.223
summary: Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper
cves:
    - CVE-2026-23742
ghsas:
    - GHSA-cc8m-98fm-rc9g
references:
    - advisory: https://github.com/advisories/GHSA-cc8m-98fm-rc9g
    - advisory: https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-23742
    - fix: https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714
    - web: https://github.com/zalando/skipper/releases/tag/v0.23.0
source:
    id: GHSA-cc8m-98fm-rc9g
    created: 2026-01-16T22:01:25.376536173Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/zalando/skipper: GHSA-cc8m-98fm-rc9g #4327

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/zalando/skipper: GHSA-cc8m-98fm-rc9g #4327

Description

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions