Skip to content

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

wants to merge 1 commit into from
+18 −18

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0 -> v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 14, 2025 06:37
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 14, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/term v0.36.0 -> v0.37.0

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025
edited
Loading

🔍 Dependency Review

Below are the assessed golang.org/x module bumps in this PR. Each section summarizes potential impact and any code changes that may be required. Where applicable, I’ve included suggested code snippets and references for further review.

Legend:

  • ✅ Safe — No issues found. Code changes almost certainly not required.
  • ⚠️ Needs Review — Minor concerns or uncertainties that should be reviewed. Code changes may be required.
  • ❌ Changes Needed — Significant issues or breaking changes. Code changes are required.
golang.org/x/crypto v0.43.0 -> v0.45.0 — ⚠️ Needs Review

Impact summary:

  • The x/crypto module frequently lands security/compatibility updates (notably in the ssh subpackage and crypto primitives). API-breaking changes are uncommon, but security-hardening changes can alter defaults (e.g., preferred/allowed algorithms in ssh) and can expose latent assumptions in tests or legacy integrations.

What to check:

  • If you use golang.org/x/crypto/ssh:
    • Defaults for host key algorithms and MAC/cipher preferences may have been tightened in recent releases (e.g., stronger ordering, continued de-emphasis or exclusion of SHA-1 based algorithms).
    • Connections to legacy SSH servers may fail if they require deprecated algorithms. If you rely on such servers, explicitly configure algorithms to preserve connectivity.

Suggested changes (only if you encounter legacy-server failures):

 import "golang.org/x/crypto/ssh"

 cfg := &ssh.ClientConfig{
     User: "user",
     Auth: []ssh.AuthMethod{ssh.Password("pw")},
     HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+    // Only if you must interoperate with legacy servers that demand older algorithms:
+    HostKeyAlgorithms: []string{
+        ssh.KeyAlgoRSASHA256,
+        ssh.KeyAlgoRSASHA512,
+        ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521,
+        // As a last resort to preserve legacy behavior:
+        ssh.KeyAlgoRSA, // "ssh-rsa" (SHA-1) — avoid unless absolutely required
+    },
+    Config: ssh.Config{
+        MACs: []string{
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            // Add "hmac-sha1" only if you must talk to old servers:
+            // "hmac-sha1",
+        },
+    },
 }
  • If you parse or validate certificates/keys with x/crypto subpackages, some validation/securing tweaks across releases can make previously accepted test fixtures invalid (e.g., weak parameters). If tests start failing, regenerate fixtures with modern parameters.

Evidence and references:

golang.org/x/net v0.46.0 -> v0.47.0 — ✅ Safe

Impact summary:

  • x/net updates typically include bug fixes and protocol hardening (e.g., http2, proxy, idna). API removals are rare in minor bumps.
  • If you directly use golang.org/x/net/http2, there are occasional behavioral fixes (flow-control, header/path validation, idle/ping behavior), but public API remains stable.

What to check:

  • If you have golden tests around HTTP/2 behavior (timeouts, error messages), re-run tests; behavior may be slightly improved/changed without API breaks.

Code changes: None expected.

References:

golang.org/x/sync v0.17.0 -> v0.18.0 — ✅ Safe

Impact summary:

  • x/sync (errgroup, singleflight, etc.) is very stable. Minor releases rarely change public APIs or semantics.

Code changes: None expected.

References:

golang.org/x/sys v0.37.0 -> v0.38.0 — ✅ Safe

Impact summary:

  • Adds/updates syscall constants and low-level helpers per-OS/arch. Upgrades are generally additive.

Code changes: None expected.

References:

golang.org/x/text v0.30.0 -> v0.31.0 — ⚠️ Needs Review

Impact summary:

  • x/text updates can include Unicode table bumps and correctness/security fixes (e.g., in cases, norm, secure/bidirule, idna). While API is stable, behavior may shift slightly with a new Unicode version or stricter processing.

What to check:

  • If you have golden tests for:
    • Unicode normalization (norm)
    • Case folding/title-casing (cases)
    • IDNA processing (idna)
      They may produce slightly different outputs after a Unicode data update.

Suggested mitigations (only if behavior regression is observed or legacy behavior required):

  • For IDNA, explicitly set options rather than relying on defaults.
 import "golang.org/x/text/transform"
 import "golang.org/x/net/idna"

- p := idna.Profile{} // implicit defaults
+ p := idna.New(
+     idna.MapForLookup(),     // or idna.MapForLookup(false) as needed
+     idna.ValidateForRegistration(),
+     // Choose transitional vs non-transitional mapping explicitly:
+     idna.Transitional(false),
+ )
 out, _, err := transform.String(p.ToUnicode(), input)
  • For casing behavior, specify language or use language.Und for stable behavior:
 import "golang.org/x/text/cases"
 import "golang.org/x/text/language"

- c := cases.Title(language.Und)
+ c := cases.Title(language.Und) // keep explicit; update golden outputs if tables changed
 s := c.String(in)

References:

golang.org/x/term v0.36.0 -> v0.37.0 — ✅ Safe

Impact summary:

  • x/term changes are typically additive/bug-fix across platforms. Public API is stable.

Code changes: None expected.

References:

Notes

  • All updates are within the same major line of their respective x/ modules and are expected to be backward compatible. The only likely areas requiring attention are:
    • SSH interoperability with legacy servers after x/crypto hardening.
    • Small behavior/Unicode data shifts in x/text that may affect golden tests and string processing edge cases.

Re-run your test suite, particularly any end-to-end tests involving SSH, HTTP/2, and text/IDNA processing.

witekest
witekest reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

@witekest witekest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVSS Base Score: 7.5

Because of high severity it would be good to include it in 1.12.0 soon.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 9e3011e to 534c1f8 Compare November 14, 2025 15:28
@jharvey10
Copy link
Contributor

jharvey10 commented Nov 14, 2025

Once our OTel update gets merged in, I'll get this one merged as well before cutting the 1.12 RC.

@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed Nov 14, 2025
@renovate-sh-app renovate-sh-app bot closed this Nov 14, 2025
@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch November 14, 2025 18:34
@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed fix(deps): update module golang.org/x/crypto to v0.45.0 [security] Nov 20, 2025
@renovate-sh-app renovate-sh-app bot reopened this Nov 20, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 321b6e9 to 534c1f8 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 534c1f8 to 321b6e9 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from e9f5032 to b537c42 Compare November 20, 2025 18:37
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 57b754d to 613913f Compare November 21, 2025 00:25
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 5 times, most recently from b653866 to 83aacef Compare November 24, 2025 12:26
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from acd7cc2 to 0b271e0 Compare November 24, 2025 18:48
@renovate-sh-app
fix(deps): update module golang.org/x/crypto to v0.45.0 [security]
b1f2853 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 0b271e0 to b1f2853 Compare November 25, 2025 00:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@witekest witekest witekest left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jharvey10 @witekest