update cli-security 1.16.2 - skip-auto-install for pip

[hadarshjfrog]

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• This pull request is on the dev branch.
• I used gofmt for formatting the code before submitting the pull request.
• Update documentation about new features / new supported technologies

---

[attiasas]

LGTM

[github-actions]

📗 Scan Summary

• Frogbot scanned for vulnerabilities and found 4 issues

Scan Category	Status	Security Issues
Software Composition Analysis	✅ Done	4 Issues Found 2 High 2 Medium
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	Not Found
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
High	CVE-2025-30204	Missing Context	github.com/golang-jwt/jwt/v4:v4.5.1 github.com/jfrog/jfrog-cli-artifactory:v0.2.1 github.com/jfrog/jfrog-cli-core/v2:v2.58.2 github.com/jfrog/jfrog-cli-security:v1.16.2 github.com/jfrog/jfrog-client-go:v1.51.1	github.com/golang-jwt/jwt/v4 v4.5.1	[4.5.2]
High	CVE-2025-22869	Missing Context	golang.org/x/crypto:v0.32.0 github.com/go-git/go-billy/v5:v5.6.2 github.com/go-git/go-git/v5:v5.13.2 github.com/jfrog/jfrog-cli-artifactory:v0.2.1 github.com/jfrog/jfrog-cli-core/v2:v2.58.2 github.com/jfrog/jfrog-cli-security:v1.16.2 github.com/jfrog/jfrog-client-go:v1.51.1 github.com/skeema/knownhosts:v1.3.1 golang.org/x/net:v0.34.0	golang.org/x/crypto v0.32.0	[0.35.0]
Medium	CVE-2025-22872	Not Applicable	github.com/go-git/go-git/v5:v5.13.2 github.com/jfrog/jfrog-cli-artifactory:v0.2.1 github.com/jfrog/jfrog-cli-core/v2:v2.58.2 github.com/jfrog/jfrog-cli-security:v1.16.2 github.com/jfrog/jfrog-client-go:v1.51.1 golang.org/x/net:v0.34.0 github.com/go-git/go-billy/v5:v5.6.2	golang.org/x/net v0.34.0	[0.38.0]
Medium	CVE-2025-22870	Not Applicable	github.com/jfrog/jfrog-client-go:v1.51.1 golang.org/x/net:v0.34.0 github.com/go-git/go-billy/v5:v5.6.2 github.com/go-git/go-git/v5:v5.13.2 github.com/jfrog/jfrog-cli-artifactory:v0.2.1 github.com/jfrog/jfrog-cli-core/v2:v2.58.2 github.com/jfrog/jfrog-cli-security:v1.16.2	golang.org/x/net v0.34.0	[0.36.0]

🔖 Details

[ CVE-2025-30204 ] github.com/golang-jwt/jwt/v4 v4.5.1

Vulnerability Details

Jfrog Research Severity:	Medium
Contextual Analysis:	Missing Context
Direct Dependencies:	github.com/golang-jwt/jwt/v4:v4.5.1, github.com/jfrog/jfrog-cli-artifactory:v0.2.1, github.com/jfrog/jfrog-cli-core/v2:v2.58.2, github.com/jfrog/jfrog-cli-security:v1.16.2, github.com/jfrog/jfrog-client-go:v1.51.1
Impacted Dependency:	github.com/golang-jwt/jwt/v4:v4.5.1
Fixed Versions:	[4.5.2]
CVSS V3:	7.5

Unbounded resource consumption in golang-jwt can lead to denial of service when an attacker client sends a malformed token.

🔬 JFrog Research Details

Description:
A design bug in Go golang-jwt module may lead to denial of service when an attacker sends a malformed token to a server.

The parse.ParseUnverified() function starts with:

func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
 	parts = strings.Split(tokenString, ".")
 	if len(parts) != 3 {
 		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)

If an attacker sends a token which has many dots (e.g. 100000) the strings.Split() function might crash due to unexpected memory consumption which may lead to DoS.

[ CVE-2025-22869 ] golang.org/x/crypto v0.32.0

Vulnerability Details

Jfrog Research Severity:	High
Contextual Analysis:	Missing Context
Direct Dependencies:	golang.org/x/crypto:v0.32.0, github.com/go-git/go-billy/v5:v5.6.2, github.com/go-git/go-git/v5:v5.13.2, github.com/jfrog/jfrog-cli-artifactory:v0.2.1, github.com/jfrog/jfrog-cli-core/v2:v2.58.2, github.com/jfrog/jfrog-cli-security:v1.16.2, github.com/jfrog/jfrog-client-go:v1.51.1, github.com/skeema/knownhosts:v1.3.1, golang.org/x/net:v0.34.0
Impacted Dependency:	golang.org/x/crypto:v0.32.0
Fixed Versions:	[0.35.0]
CVSS V3:	7.5

Unbounded resource consumption in Go's crypto/ssh allows unauthenticated network attackers to cause denial of service.

🔬 JFrog Research Details

Description:
The golang package x/crypto/ssh implements an SSH client and server.

To establish trust between two sides connecting over ssh, the ssh handshake implements a key exchange. During this process each side sends the other an SSH_MSG_KEXINIT packet which initializes the exchange.

Once side A has sent the SSH_MSG_KEXINIT packet, it is open to receiving normal data packets from side B. These packets will be queued, and processed once the key exchange is complete. However, if side B is slow at sending its own SSH_MSG_KEXINIT packet and quick at sending the data packets, or side B is a malicious user that purposefully refrains from sending the SSH_MSG_KEXINIT packet, the data packets could drain side A's memory and potentially cause denial of service from resource consumption.

[ CVE-2025-22872 ] golang.org/x/net v0.34.0

Vulnerability Details

Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/go-git/go-git/v5:v5.13.2, github.com/jfrog/jfrog-cli-artifactory:v0.2.1, github.com/jfrog/jfrog-cli-core/v2:v2.58.2, github.com/jfrog/jfrog-cli-security:v1.16.2, github.com/jfrog/jfrog-client-go:v1.51.1, golang.org/x/net:v0.34.0, github.com/go-git/go-billy/v5:v5.6.2
Impacted Dependency:	golang.org/x/net:v0.34.0
Fixed Versions:	[0.38.0]
CVSS V3:	-

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

[ CVE-2025-22870 ] golang.org/x/net v0.34.0

Vulnerability Details

Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/jfrog/jfrog-client-go:v1.51.1, golang.org/x/net:v0.34.0, github.com/go-git/go-billy/v5:v5.6.2, github.com/go-git/go-git/v5:v5.13.2, github.com/jfrog/jfrog-cli-artifactory:v0.2.1, github.com/jfrog/jfrog-cli-core/v2:v2.58.2, github.com/jfrog/jfrog-cli-security:v1.16.2
Impacted Dependency:	golang.org/x/net:v0.34.0
Fixed Versions:	[0.36.0]
CVSS V3:	4.4

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

---

🐸 JFrog Frogbot