Security Vulnerabilities (Critical, High, Medium) in Packer v1.14.2 #13517
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
When filing a bug, please include the following headings if possible. Any
example text in this template can be deleted.
Overview of the Issue
Security vulnerabilities were identified in packer version 1.14.2 by our internal Orca security scans. These affect several dependencies bundled with the binary and may pose security risks in environments that rely on this version.
{
"target": "usr/local/bin/packer",
"category": "lang-pkgs",
"type": "gobinary",
"vulnerabilities": [
{
"vulnerability_id": "CVE-2025-22871",
"severity": "CRITICAL",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.23.8, 1.24.2",
"cvss_v2_score": "",
"cvss_v3_score": "9.1",
"status_summary": {
"priority": "HIGH",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-47907",
"severity": "HIGH",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.23.12, 1.24.6",
"cvss_v2_score": "",
"cvss_v3_score": "7",
"status_summary": {
"priority": "HIGH",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58187",
"severity": "HIGH",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.9, 1.25.3",
"cvss_v2_score": "",
"cvss_v3_score": "7.5",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58188",
"severity": "HIGH",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "7.5",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-61723",
"severity": "HIGH",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "7.5",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-61725",
"severity": "HIGH",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "7.5",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-47912",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "5.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58183",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "4.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58186",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "5.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-61724",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "5.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2024-45336",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.22.11, 1.23.5, 1.24.0-rc.2",
"cvss_v2_score": "",
"cvss_v3_score": "6.1",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2024-45341",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.22.11, 1.23.5, 1.24.0-rc.2",
"cvss_v2_score": "",
"cvss_v3_score": "6.1",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-0913",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.23.10, 1.24.4",
"cvss_v2_score": "",
"cvss_v3_score": "5.5",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-22866",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.22.12, 1.23.6, 1.24.0-rc.3",
"cvss_v2_score": "",
"cvss_v3_score": "4",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-4673",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.23.10, 1.24.4",
"cvss_v2_score": "",
"cvss_v3_score": "6.8",
"status_summary": {
"priority": "MEDIUM",
"status": "FAILED"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-47906",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.23.12, 1.24.6",
"cvss_v2_score": "",
"cvss_v3_score": "6.5",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58185",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "5.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
},
{
"vulnerability_id": "CVE-2025-58189",
"severity": "MEDIUM",
"pkg_name": "stdlib",
"pkg_path": "",
"installed_version": "v1.23.2",
"fixed_version": "1.24.8, 1.25.2",
"cvss_v2_score": "",
"cvss_v3_score": "5.3",
"status_summary": {
"priority": "INFO",
"status": "WARNING"
},
"location": {},
"is_new_issue": false
}
],
"vulnerabilities_count": {
"total": 18,
"critical": 1,
"high": 5,
"medium": 12,
"low": 0,
"unknown": 0
}
}
fixed go version: 1.24.8, 1.25.2
Reproduction Steps
Steps to reproduce this issue
Packer version
From 1.14.2
Simplified Packer Template
If the file is longer than a few dozen lines, please include the URL to the
gist of the log or use the Github detailed
format
instead of posting it directly in the issue.
Operating system and Environment details
OS, Architecture, and any other information you can provide about the
environment.
Log Fragments and crash.log files
Include appropriate log fragments. If the log is longer than a few dozen lines,
please include the URL to the gist of the log or
use the Github detailed format instead of posting it directly in the issue.
Set the env var PACKER_LOG=1 for maximum log detail.