Skip to content

fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 #5233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Oct 26, 2025
Merged

fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 #5233

merged 15 commits into from
Oct 26, 2025
+16 −8

Conversation

@UJESH2K
Copy link
Contributor

@UJESH2K UJESH2K commented Oct 22, 2025

Fixes #5232

Summary

Upgrades golang.org/x/oauth2 from v0.21.0 → v0.27.0 to patch CVE-2025-22868 (DoS vulnerability).

Validation

✅ go build ./...
✅ go test ./...
✅ govulncheck shows no oauth2 vulnerability

No authentication or token flow regressions observed.

@UJESH2K UJESH2K mentioned this pull request Oct 22, 2025
Closed
Jonsy13
Jonsy13 reviewed Oct 23, 2025
View reviewed changes
chaoscenter/authentication/go.mod Outdated
module github.com/litmuschaos/litmus/chaoscenter/authentication

go 1.22.0
go 1.23.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update it to 1.24.0 along with other 2 more places -

  • Dockerfile
  • CI build workflow.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the review
I'll update and push

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Jonsy13
Thanks for the review! 🙌
I’ve updated the Go version to 1.24.0 in all three places — go.mod, Dockerfile, and the CI build workflow as suggested.
Kindly review the latest changes and let me know if there are any other updates required. 😊

@UJESH2K UJESH2K force-pushed the fix/oauth2-vulnerability branch 4 times, most recently from f7b0f17 to ccc4ccf Compare October 23, 2025 19:09
@UJESH2K
Copy link
Contributor Author

UJESH2K commented Oct 23, 2025

The Trivy scan is currently failing on this PR due to a vulnerability in github.com/golang-jwt/jwt (CVE-2025-30204).
✅ This issue has already been addressed in a separate PR: #5246
.
For this PR, we are focusing on the OAuth2 vulnerability fix, and the JWT update will be merged through the linked PR.

@UJESH2K UJESH2K force-pushed the fix/oauth2-vulnerability branch from 6f66aa3 to ff10a26 Compare October 23, 2025 21:51
@UJESH2K UJESH2K force-pushed the fix/oauth2-vulnerability branch from ff10a26 to af3ffcc Compare October 23, 2025 21:55
UJESH2K and others added 11 commits October 23, 2025 21:57
@UJESH2K
fix: use stable golang:1.24.0-bookworm base image in Dockerfile
26aa1f6 
Signed-off-by: UJESH2K <[email protected]>
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
1.25 go version
ac32743 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
golang.org/x/crypto v0.35.0 go version
bd3ab16 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
golang.org/x/crypto v0.35.0 go version and 1.24
76c5b75 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
changed docker
80b76cb 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
changed docker
68435b8 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
Temporary commit before rebase
934d246 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
Changed trivy to v2 and authentication goversion to 1.24.0
8aeed59 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
Revert Trivy v2 change
c3cebad 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
changed build.yml from 1.24 to 1.24.0
bacc83e 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K
removed trivy version mismatch
a8c2cb1 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@UJESH2K UJESH2K force-pushed the fix/oauth2-vulnerability branch from af3ffcc to a8c2cb1 Compare October 23, 2025 21:57
@Jonsy13
Copy link
Contributor

Jonsy13 commented Oct 24, 2025

Please update this branch with main & resolve conflicts

@UJESH2K
Copy link
Contributor Author

UJESH2K commented Oct 25, 2025

please review the PRs they are up to date now !

Jonsy13
Jonsy13 reviewed Oct 25, 2025
View reviewed changes
chaoscenter/authentication/go.sum
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be done from go.mod not from here directly.First update go.mod & then run go mod tidy. Please fix.

@UJESH2K
go mod tidy
19f4d9d 
Signed-off-by: UJESH KUMAR YADAV <[email protected]>
@Jonsy13 Jonsy13 merged commit e91c06c into litmuschaos:master Oct 26, 2025
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jonsy13 Jonsy13 Jonsy13 approved these changes

@ispeakc0de ispeakc0de Awaiting requested review from ispeakc0de

Assignees

No one assigned

Labels

Hacktoberfest hacktoberfest-accepted Accepted for HacktoberFest

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix vulnerability: CVE-2025-22868 in golang.org/x/oauth2 (DoS from malicious token parsing)

3 participants

@UJESH2K @Jonsy13 @PriteshKiri