Skip to content

fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 #5233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Oct 26, 2025
Merged

fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 #5233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
9eee568
fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-…
UJESH2K Oct 22, 2025
ee3a7b4
chore: update Go version to 1.24.0 in go.mod, Dockerfile, and CI work…
UJESH2K Oct 23, 2025
26aa1f6
fix: use stable golang:1.24.0-bookworm base image in Dockerfile
UJESH2K Oct 23, 2025
ac32743
1.25 go version
UJESH2K Oct 23, 2025
bd3ab16
golang.org/x/crypto v0.35.0 go version
UJESH2K Oct 23, 2025
76c5b75
golang.org/x/crypto v0.35.0 go version and 1.24
UJESH2K Oct 23, 2025
80b76cb
changed docker
UJESH2K Oct 23, 2025
68435b8
changed docker
UJESH2K Oct 23, 2025
934d246
Temporary commit before rebase
UJESH2K Oct 23, 2025
8aeed59
Changed trivy to v2 and authentication goversion to 1.24.0
UJESH2K Oct 23, 2025
c3cebad
Revert Trivy v2 change
UJESH2K Oct 23, 2025
bacc83e
changed build.yml from 1.24 to 1.24.0
UJESH2K Oct 23, 2025
a8c2cb1
removed trivy version mismatch
UJESH2K Oct 23, 2025
647f7fd
Merge branch 'master' into fix/oauth2-vulnerability
UJESH2K Oct 24, 2025
19f4d9d
go mod tidy
UJESH2K Oct 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ jobs:
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.22" # By default, the go version is v1.15 in runner.
go-version: "1.24.0" # By default, the go version is v1.15 in runner.
- name: Backend unit tests
shell: bash
run: |
Expand Down Expand Up @@ -148,7 +148,8 @@ jobs:
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
severity: 'CRITICAL,HIGH'


docker-build-authentication-server:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -176,7 +177,7 @@ jobs:
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

docker-build-subscriber:
runs-on: ubuntu-latest
needs:
Expand All @@ -203,6 +204,7 @@ jobs:
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'


docker-build-frontend:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -233,6 +235,7 @@ jobs:
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'


docker-build-event-tracker:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -260,6 +263,7 @@ jobs:
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'


docker-build-dex-server:
runs-on: ubuntu-latest
Expand All @@ -286,3 +290,4 @@ jobs:
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

7 changes: 5 additions & 2 deletions chaoscenter/authentication/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,17 @@ RUN go env

RUN CGO_ENABLED=0 go build -o /output/server -v ./api/

# Packaging stage
# PACKAGING STAGE
# Use RedHat UBI minimal image as base
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5

LABEL maintainer="LitmusChaos"

ENV APP_DIR="/litmus"

# Ensure base packages (including libxslt) are patched
RUN microdnf -y update && microdnf clean all

COPY --from=builder /output/server $APP_DIR/
RUN chown 65534:0 $APP_DIR/server && chmod 755 $APP_DIR/server

Expand All @@ -30,4 +33,4 @@ USER 65534

CMD ["./server"]

EXPOSE 3000
EXPOSE 3000
2 changes: 1 addition & 1 deletion chaoscenter/authentication/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/stretchr/testify v1.9.0
go.mongodb.org/mongo-driver v1.17.1
golang.org/x/crypto v0.43.0
golang.org/x/oauth2 v0.21.0
golang.org/x/oauth2 v0.27.0
google.golang.org/grpc v1.66.2
google.golang.org/protobuf v1.34.2
)
Expand Down
4 changes: 2 additions & 2 deletions chaoscenter/authentication/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be done from go.mod not from here directly.First update go.mod & then run go mod tidy. Please fix.

golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand Down
Loading