Update Go toolchain and dependencies to address CRITICAL and HIGH CVEs #4080
Description
Summary
The v25.4.0 Docker image contains Go dependencies with known published CVEs. These are detected by Trivy when the Hydra binary is included in downstream container images.
CRITICAL
| Library | CVE | Installed | Fixed |
|---|---|---|---|
| Go stdlib | CVE-2025-68121 | 1.25.2 | 1.25.7+ |
Unexpected session resumption in crypto/tls.
HIGH
| Library | CVE | Installed | Fixed |
|---|---|---|---|
go.opentelemetry.io/otel/sdk |
CVE-2026-24051 | v1.38.0 | 1.40.0 |
| Go stdlib | CVE-2025-61726 | 1.25.2 | 1.25.6 |
| Go stdlib | CVE-2025-61728 | 1.25.2 | 1.25.6 |
| Go stdlib | CVE-2025-61729 | 1.25.2 | 1.25.5 |
MEDIUM
| Library | CVE | Installed | Fixed |
|---|---|---|---|
golang.org/x/crypto |
CVE-2025-47914 | v0.42.0 | 0.45.0 |
golang.org/x/crypto |
CVE-2025-58181 | v0.42.0 | 0.45.0 |
Requested change
A patch release with:
- Go toolchain bump to at least 1.25.8 (fixes all stdlib CVEs)
go get go.opentelemetry.io/otel/sdk@v1.40.0go get golang.org/x/crypto@v0.45.0