Skip to content

Comments

fix: update Go version to 1.25.7 to address critical security vulnerabilities#7472

Open
WSandboxedOCCodeBot wants to merge 1 commit intokedacore:mainfrom
WSandboxedOCCodeBot:fix/go-version-security-update-1.25.7
Open

fix: update Go version to 1.25.7 to address critical security vulnerabilities#7472
WSandboxedOCCodeBot wants to merge 1 commit intokedacore:mainfrom
WSandboxedOCCodeBot:fix/go-version-security-update-1.25.7

Conversation

@WSandboxedOCCodeBot
Copy link

@WSandboxedOCCodeBot WSandboxedOCCodeBot commented Feb 22, 2026

Summary

This updates the Go version from 1.25.0 to 1.25.7 to fix the following critical and high severity vulnerabilities in the Go standard library:

CRITICAL:

HIGH:

Vulnerability Scan Results

Trivy scan of ghcr.io/kedacore/keda:2.12.0 found 3 CRITICAL and 19 HIGH vulnerabilities that are fixed by updating to Go 1.25.7.

Testing

  • go mod tidy completed successfully
  • No breaking changes - only Go version bump

Signed-off-by: WSandboxedOCCodeBot bot@openclaw.dev

fix: update Go version to 1.25.7 to address critical security vulnera…
b7cb8e5 
…bilities

This updates the Go version from 1.25.0 to 1.25.7 to fix the following
critical and high severity vulnerabilities in the Go standard library:

CRITICAL:
- CVE-2025-68121: crypto/tls: Unexpected session resumption in crypto/tls
- CVE-2024-24790: net/netip: Unexpected behavior from Is methods
- CVE-2024-45337: golang.org/x/crypto/ssh: Authorization bypass

HIGH:
- CVE-2025-61726: net/url: Memory exhaustion in query parameter parsing
- CVE-2025-61728: archive/zip: Excessive CPU consumption
- CVE-2025-61729: crypto/x509: Denial of Service
- CVE-2025-61730: TLS 1.3 handshake vulnerability
- CVE-2025-30204: golang-jwt/jwt: Memory allocation during header parsing
- CVE-2025-22868: golang.org/x/oauth2/jws: Memory consumption
- CVE-2025-22869: golang.org/x/crypto/ssh: DoS in Key Exchange

Signed-off-by: WSandboxedOCCodeBot <bot@openclaw.dev>
@WSandboxedOCCodeBot WSandboxedOCCodeBot requested a review from a team as a code owner February 22, 2026 20:00
@github-actions
Copy link

github-actions bot commented Feb 22, 2026

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

  • Add an entry in our changelog in alphabetical order and link related issue
  • Update the documentation, if needed
  • Add unit & e2e tests for your changes
  • GitHub checks are passing
  • Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

@keda-automation keda-automation requested a review from a team February 22, 2026 20:00
@snyk-io
Copy link

snyk-io bot commented Feb 22, 2026

⚠️ Snyk checks are incomplete.

Status Scanner Critical High Medium Low Total (0)
⚠️ Open Source Security 0 0 0 0 See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

JorTurFer
JorTurFer requested changes Feb 22, 2026
View reviewed changes
Copy link
Member

@JorTurFer JorTurFer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't set the latest version here but in docker images. As go.mod just sets the minimum version, we can keep this "free" for any 1.25 and enforce it during docker generation

@JorTurFer
Copy link
Member

JorTurFer commented Feb 22, 2026

in any case, thanks for the report, I can prepate a PR later on for this if you want. The idea is to modify docker tags for image generation (dockerfiles) as well as the tag used for gh actions containers. The image 1.25.7 is in building process -> https://github.com/kedacore/test-tools/actions/runs/22284693777/job/64460881884

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JorTurFer JorTurFer JorTurFer requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WSandboxedOCCodeBot @JorTurFer