Skip to content

Update golang.org/x/crypto to address security vulnerabilities #30621

Description

@sebrandon1

⚠️ Outdated golang.org/x/crypto Dependency

This repository is currently using golang.org/x/crypto v0.45.0 but the latest version is v0.53.0.

Last scanned: 2026-07-08 08:07 UTC

Why Update?

Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.

🔒 Security Vulnerabilities Fixed in Newer Versions

The following CVEs have been addressed in versions after v0.45.0:

  • CVE-2026-39827 (MODERATE): golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS - Fixed in 0.52.0 (details)
  • CVE-2026-39828 (MODERATE): golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions - Fixed in 0.52.0 (details)
  • CVE-2026-39829 (HIGH): golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS - Fixed in 0.52.0 (details)
  • CVE-2026-39830 (CRITICAL): golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses - Fixed in 0.52.0 (details)
  • CVE-2026-39831 (CRITICAL): golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed - Fixed in 0.52.0 (details)
  • CVE-2026-39832 (CRITICAL): golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys - Fixed in 0.52.0 (details)
  • CVE-2026-39833 (CRITICAL): golang.org/x/crypto doesn't enforce invoking key constraints - Fixed in 0.52.0 (details)
  • CVE-2026-39834 (CRITICAL): golang.org/x/crypto vulnerable to infinite loop on large channel writes - Fixed in 0.52.0 (details)
  • CVE-2026-39835 (MODERATE): golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow - Fixed in 0.52.0 (details)
  • CVE-2026-42508 (CRITICAL): golang.org/x/crypto vulnerable to auth bypass via unenforced @Revoked status - Fixed in 0.52.0 (details)
  • CVE-2026-46595 (CRITICAL): golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement - Fixed in 0.52.0 (details)
  • CVE-2026-46597 (HIGH): golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic - Fixed in 0.52.0 (details)
  • CVE-2026-46598 (MODERATE): golang.org/x/crypto: Invoking pathological inputs can lead to client panic - Fixed in 0.52.0 (details)

🤖 Recommendation: Enable Dependabot

This repository does not appear to have Dependabot configured. We recommend enabling Dependabot to automatically keep your go.mod dependencies up-to-date and receive security alerts.

To enable Dependabot, create a .github/dependabot.yml file:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10

See GitHub Dependabot documentation for more details.

📋 How to Update

Run the following command to update:

go get golang.org/x/crypto@v0.53.0
go mod tidy

Then run your tests and submit a PR with the changes.

🔗 Central Tracking

This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.

See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59


This issue is automatically managed by the xcrypto-lookup.sh scanner.

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions