Renovate: Update module github.com/cert-manager/cert-manager to v1.18.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cert-manager/cert-manager	v1.18.2 → v1.18.5

---

cert-manager-controller DoS via Specially Crafted DNS Response

GHSA-gx3x-vq4p-mhhv

More information

Details

Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

Workarounds

• Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
  • Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.

Resources

• Fix for cert-manager 1.18: https://github.com/cert-manager/cert-manager/pull/8467
• Fix for cert-manager 1.19: https://github.com/cert-manager/cert-manager/pull/8468
• Fix for master branch: https://github.com/cert-manager/cert-manager/pull/8469

Credits

Huge thanks to Oleh Konko (@​1seal) for reporting the issue, providing a detailed PoC and an initial patch!

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv
• https://github.com/cert-manager/cert-manager/pull/8467
• https://github.com/cert-manager/cert-manager/pull/8468
• https://github.com/cert-manager/cert-manager/pull/8469
• https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc
• https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d
• https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2
• https://github.com/cert-manager/cert-manager

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.18.5

Compare Source

v1.18.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.18 release notes on the cert-manager.io website before upgrading.

Changes since v1.18.3

Bug or Regression

• Address false positive vulnerabilities CVE-2025-47914 and CVE-2025-58181 which were reported by Trivy. (#​8282, @​SgtCoDFish)
• Update Go to v1.24.11 to fix CVE-2025-61727 and CVE-2025-61729 (#​8295, @​wallrj-cyberark)

Other (Cleanup or Flake)

• Update cert-manager's ACME client, forked from golang/x/crypto (#​8271, @​SgtCoDFish)
• Updated Debian 12 distroless base images (#​8328, @​wallrj-cyberark)

v1.18.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We fixed a bug which caused certificates to be re-issued unexpectedly, if the issuerRef kind or group was changed to one of the "runtime" default values. We increased the size limit when parsing PEM certificate chains to handle leaf certificates with large numbers of DNS named or other identities. We upgraded Go to 1.24.9 to fix various non-critical security vulnerabilities.

📖 Read the full 1.18 release notes on the cert-manager.io website before upgrading.

Changes since v1.18.2:

Bug or Regression

• BUGFIX: in case kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8174, @​cert-manager-bot)
• Bump Go to 1.24.9. Fixes the following vulnerabilities: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, CVE-2025-61725 (#​8176, @​wallrj-cyberark)
• Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities (#​7966, @​cert-manager-bot)

Other (Cleanup or Flake)

• Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data (#​7964, @​cert-manager-bot)
• Upgrades Go to v1.24.6 (#​7974, @​SgtCoDFish)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated

Details:

Package	Change
golang.org/x/net	v0.41.0 -> v0.47.0
golang.org/x/sync	v0.15.0 -> v0.18.0
golang.org/x/sys	v0.33.0 -> v0.38.0
golang.org/x/term	v0.32.0 -> v0.37.0
golang.org/x/text	v0.26.0 -> v0.31.0
golang.org/x/tools	v0.33.0 -> v0.38.0