security: upgrade Go to 1.25.8 to fix 20 CVEs

[yashkrishnan]

Security: Upgrade Go to 1.25.8 to Fix 20 CVEs

This PR upgrades the Go version from 1.25.0 to 1.25.8 across all modules in the opentelemetry-go repository to address multiple critical, high, and medium severity security vulnerabilities in the Go standard library.

A comprehensive vulnerability scan using govulncheck identified 20 CVEs affecting the codebase:

• 2 critical vulnerabilities actively called in the code
• 18 additional vulnerabilities in imported packages and dependencies

Changes

• Updated go directive from 1.25.0 to 1.25.8 in 27 go.mod files
• Ran go mod tidy to refresh dependencies
• All changes are non-breaking and only affect the Go toolchain version

Files Modified

27 files changed, 27 insertions(+), 27 deletions(-)

Modules Updated:

• Main module: go.mod
• SDK: sdk/go.mod, sdk/metric/go.mod, sdk/log/go.mod, sdk/log/logtest/go.mod
• Exporters: All OTLP (grpc/http), Prometheus, Zipkin, Stdout exporters
• Bridges: bridge/opencensus/go.mod, bridge/opentracing/go.mod
• Core: trace/go.mod, metric/go.mod, log/go.mod, log/logtest/go.mod
• Schema & Tools: schema/go.mod, internal/tools/go.mod

Vulnerabilities Fixed

Critical/High Severity (Actively Called in Code)

1. GO-2026-4601 - Incorrect parsing of IPv6 host literals in net/url
2. GO-2025-4010 - Insufficient validation of bracketed IPv6 hostnames in net/url

High/Medium Severity (In Dependencies)

3. GO-2026-4602 - FileInfo can escape from a Root in os
4. GO-2026-4341 - Memory exhaustion in query parameter parsing in net/url
5. GO-2026-4340 - Handshake messages at incorrect encryption level in crypto/tls
6. GO-2026-4337 - Unexpected session resumption in crypto/tls
7. GO-2025-4175 - Improper DNS name constraints in crypto/x509
8. GO-2025-4155 - Excessive resource consumption in crypto/x509
9. GO-2025-4015 - Excessive CPU consumption in net/textproto
10. GO-2025-4013 - Panic with DSA public keys in crypto/x509
11. GO-2025-4012 - Memory exhaustion parsing cookies in net/http
12. GO-2025-4011 - Memory exhaustion parsing DER in encoding/asn1
13. GO-2025-4009 - Quadratic complexity in encoding/pem
14. GO-2025-4008 - ALPN negotiation error in crypto/tls
15. GO-2025-4007 - Quadratic complexity in name constraints in crypto/x509
16. GO-2025-3955 - CrossOriginProtection bypass in net/http
17. GO-2026-4603 - URLs not escaped in meta content in html/template
18. GO-2026-4342 - Excessive CPU in archive index in archive/zip
19. GO-2025-4014 - Unbounded allocation in archive/tar
20. GO-2025-4006 - Excessive CPU in ParseAddress in net/mail

Testing

Vulnerability Scan Results

Before:

Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 14 vulnerabilities in packages you import and 4
vulnerabilities in modules you require.

After:

No vulnerabilities found.

Test Suite Results

All tests passed with race detection enabled (-race flag)

Test Coverage:

• Core modules: go.opentelemetry.io/otel, attribute, baggage, codes, propagation
• Trace: trace, trace/noop, trace/internal/telemetry
• Metric: metric, metric/noop
• Log: log, log/global, log/noop, log/logtest
• SDK: sdk, sdk/trace, sdk/metric, sdk/log, sdk/resource
• Exporters: OTLP (grpc/http), Prometheus, Zipkin, Stdout (all variants)
• Bridges: OpenCensus, OpenTracing
• Schema: All schema versions

Test Execution:

make test-default

• All module tests passed
• Race detection enabled
• No test failures or warnings
• Total test time: ~2-3 minutes

Verification Commands

# Verify Go version
go version
# Output: go version go1.25.8 darwin/arm64

# Run vulnerability scan
govulncheck ./...
# Output: No vulnerabilities found.

# Run tests
make test-default
# Output: All tests passed

Impact

• Security: Resolves 20 CVEs (2 critical, 18 high/medium)
• Compatibility: No breaking changes, backward compatible
• Performance: No performance impact
• Dependencies: Only Go toolchain version updated

Checklist

• Updated Go version in all 27 go.mod files
• Ran go mod tidy on all modules
• Verified with govulncheck - no vulnerabilities found
• All tests pass with race detection
• No breaking changes
• Commit message follows conventional commits format

Related Issues

Addresses security vulnerabilities identified in Go standard library versions prior to 1.25.8.

Additional Notes

• This is a security-critical update and should be merged as soon as possible
• The upgrade path from 1.25.0 to 1.25.8 is seamless with no API changes
• All existing functionality remains intact

[dmathieu]

We're not doing patch upgrades. We are a library, meaning the dependency version we require is a minimum version, not the actual one folks have to use.
It's therefore up to you, within your app, to upgrade the indirect dependency.

[yashkrishnan]

@dmathieu please refer to this open-telemetry/opentelemetry-collector#15052

[yashkrishnan]

We're not doing patch upgrades. We are a library, meaning the dependency version we require is a minimum version, not the actual one folks have to use.
It's therefore up to you, within your app, to upgrade the indirect dependency.

@dmathieu Thank you for the feedback. I understand your concern, but this PR addresses the Go toolchain version, not dependency versions.

Key Points

This PR changes:

go 1.25.0  →  go 1.25.8

Why this matters:

• The vulnerabilities (GO-2026-4601, GO-2025-4010) are in Go's standard library (net/url), not external dependencies
• The go directive specifies the minimum Go toolchain version required to build the module
• Users building with Go 1.25.0-1.25.7 will remain vulnerable regardless of dependency updates
• Go 1.25.8 is a patch release with no breaking changes

[dmathieu]

Users building with Go 1.25.0-1.25.7 will remain vulnerable regardless of dependency updates

That's what users should change, their Go version.
If we start doing this, it means we also need to do a patch release. Otherwise, there could be a couple months before we do a new minor.