Security Issue: Critical CVE in csi-resizer v1.13.2 Image

[talkraghu]

Summary

Apologies if i was not supposed to bring up open CVE's on images here. I scanned through https://groups.google.com/g/kubernetes-security-announce for the reported CVE and did not find advisory. Hence i thought of raising it here. The csi-resizer docker image built from this repository (csi-resizer:v1.13.2) contains a critical security vulnerability in the Go standard library (stdlib) due to the use of Go 1.23.8. Additionally, a high severity CVE is present in Go 1.23.10.

This impacts environments where container security policies strictly restrict known CVEs, especially critical ones.

---

🛡️ CVE Details

Package | Go Version | Fixed In | CVE ID | Severity | CVSS | Vector -- | -- | -- | -- | -- | -- | -- stdlib | go1.23.8 | 1.24.2 | CVE-2025-22871 | Critical | 4.46 | < 0.1 stdlib | go1.23.10 | 1.24.4 | CVE-2025-22874 | High | 4.14 | < 0.1

• CVE-2025-22871: Affects go-module due to insufficient bounds checking in certain stdlib functions.

• CVE-2025-22874: Relates to unsafe memory operations leading to denial of service or data corruption in certain environments.

---

📦 Affected Image

• Repository: kubernetes-csi/external-resizer

• Affected Tag: v1.13.2

• Go base: go1.23.1, with stdlib version 1.23.8

---

💡 Recommendation

Please consider updating the Go toolchain used in the build process to Go 1.24.4 or later, which fixes both CVEs.

If required, I can help submit a PR to update the Dockerfile accordingly.

---

📁 References

• CVE-2025-22871

• CVE-2025-22874

• Go Release Notes

Summary The Docker image built from this repository (csi-resizer:v1.13.2) contains a critical security vulnerability in the Go standard library (stdlib) due to the use of Go 1.23.8. Additionally, a high severity CVE is present in Go 1.23.10.

This impacts environments where container security policies strictly restrict known CVEs, especially critical ones.

🛡️ CVE Details
Package Go Version Fixed In CVE ID Severity CVSS Vector
stdlib go1.23.8 1.24.2 CVE-2025-22871 Critical 4.46 < 0.1
stdlib go1.23.10 1.24.4 CVE-2025-22874 High 4.14 < 0.1

CVE-2025-22871: Affects go-module due to insufficient bounds checking in certain stdlib functions.

CVE-2025-22874: Relates to unsafe memory operations leading to denial of service or data corruption in certain environments.

📦 Affected Image
Repository: kubernetes-csi/external-resizer

Affected Tag: v1.13.2

Go base: go1.23.1, with stdlib version 1.23.8

💡 Recommendation
Please consider updating the Go toolchain used in the build process to Go 1.24.4 or later, which fixes both CVEs.

📁 References
CVE-2025-22871

CVE-2025-22874

Go Release Notes

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten