CVE-2025-22869 and CVE-2025-27144 vulnerabilities in slsa-verifier v2.7.0

**Description**

We identified two security vulnerabilities in `slsa-verifier` version **2.7.0** through our internal Snyk scans. These CVEs are linked to dependencies used by the project:

* **CVE-2025-22869** — A vulnerability in `golang.org/x/crypto/ssh`
* **CVE-2025-27144** — A vulnerability in `github.com/go-jose/go-jose/v4`

These issues may expose systems using `slsa-verifier` to cryptographic weaknesses or other security risks, particularly in environments with automated supply chain verification or signature validation.

Please confirm:

* Whether `slsa-verifier` v2.7.0 includes the vulnerable versions of these libraries.
* If an upgrade path or mitigation is available.
* Whether a patched release is planned or already available.

**Steps to reproduce:**

1. Download and scan the `slsa-verifier` v2.7.0 binary using `snyk test` or an equivalent vulnerability scanner.
2. Observe the following CVEs:

   * CVE-2025-22869 (`x/crypto/ssh`)
   * CVE-2025-27144 (`go-jose/v4`)

**Expected behavior:**

All dependencies used by `slsa-verifier` should be free of known vulnerabilities, particularly in a security-critical toolchain component.

**Version**

```
v2.7.0
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-22869 and CVE-2025-27144 vulnerabilities in slsa-verifier v2.7.0 #846

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2025-22869 and CVE-2025-27144 vulnerabilities in slsa-verifier v2.7.0 #846

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions