⚠️ Outdated golang.org/x/crypto Dependency
This repository is currently using golang.org/x/crypto v0.45.0 but the latest version is v0.53.0.
Last scanned: 2026-07-08 08:07 UTC
Why Update?
Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.
🔒 Security Vulnerabilities Fixed in Newer Versions
The following CVEs have been addressed in versions after v0.45.0:
- CVE-2026-39827 (MODERATE): golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS - Fixed in
0.52.0 (details)
- CVE-2026-39828 (MODERATE): golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions - Fixed in
0.52.0 (details)
- CVE-2026-39829 (HIGH): golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS - Fixed in
0.52.0 (details)
- CVE-2026-39830 (CRITICAL): golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses - Fixed in
0.52.0 (details)
- CVE-2026-39831 (CRITICAL): golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed - Fixed in
0.52.0 (details)
- CVE-2026-39832 (CRITICAL): golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys - Fixed in
0.52.0 (details)
- CVE-2026-39833 (CRITICAL): golang.org/x/crypto doesn't enforce invoking key constraints - Fixed in
0.52.0 (details)
- CVE-2026-39834 (CRITICAL): golang.org/x/crypto vulnerable to infinite loop on large channel writes - Fixed in
0.52.0 (details)
- CVE-2026-39835 (MODERATE): golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow - Fixed in
0.52.0 (details)
- CVE-2026-42508 (CRITICAL): golang.org/x/crypto vulnerable to auth bypass via unenforced @Revoked status - Fixed in
0.52.0 (details)
- CVE-2026-46595 (CRITICAL): golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement - Fixed in
0.52.0 (details)
- CVE-2026-46597 (HIGH): golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic - Fixed in
0.52.0 (details)
- CVE-2026-46598 (MODERATE): golang.org/x/crypto: Invoking pathological inputs can lead to client panic - Fixed in
0.52.0 (details)
🤖 Recommendation: Enable Dependabot
This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your go.mod dependencies up-to-date and receive security alerts.
To enable Dependabot, create a .github/dependabot.yml file:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
See GitHub Dependabot documentation for more details.
📋 How to Update
Run the following command to update:
go get golang.org/x/crypto@v0.53.0
go mod tidy
Then run your tests and submit a PR with the changes.
🔗 Central Tracking
This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.
See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59
This issue is automatically managed by the xcrypto-lookup.sh scanner.
This repository is currently using
golang.org/x/crypto v0.45.0but the latest version isv0.53.0.Why Update?
Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.
🔒 Security Vulnerabilities Fixed in Newer Versions
The following CVEs have been addressed in versions after v0.45.0:
0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)0.52.0(details)🤖 Recommendation: Enable Dependabot
This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your
go.moddependencies up-to-date and receive security alerts.To enable Dependabot, create a
.github/dependabot.ymlfile:See GitHub Dependabot documentation for more details.
📋 How to Update
Run the following command to update:
Then run your tests and submit a PR with the changes.
🔗 Central Tracking
This issue is part of an organization-wide effort to keep
golang.org/x/cryptodependencies up-to-date.See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59
This issue is automatically managed by the xcrypto-lookup.sh scanner.