Skip to content

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

wants to merge 1 commit into from
+18 −18

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0 -> v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 14, 2025 06:37
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 14, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/term v0.36.0 -> v0.37.0

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025
edited
Loading

🔍 Dependency Review

Below is an assessment of the Go module dependency updates in this PR, with links to release notes and any actionable code-change guidance.

golang.org/x/crypto v0.43.0 -> v0.45.0 — ✅ Safe

Summary:

  • No documented exported API removals or breaking changes across v0.44.0 and v0.45.0.
  • Changes in these ranges are primarily bug fixes and security hardening across subpackages (e.g., ssh, hkdf, tls primitives).

Potential areas to smoke-test:

  • Code paths using x/crypto/ssh authentication and key parsing.
  • Any custom crypto primitives usage (scrypt, hkdf) for behavior changes under edge conditions.

Code changes required:

  • None expected.
golang.org/x/net v0.46.0 -> v0.47.0 — ✅ Safe

Summary:

  • No documented exported API removals or behavioral breaking changes.
  • Typical updates include bug fixes across subpackages (http2, proxy, websocket, net{ipv4,ipv6}, etc.).

Potential areas to smoke-test:

  • HTTP/2 clients/servers using x/net/http2 (timeouts, flow control, connection reuse).
  • Proxy and websocket integrations.

Code changes required:

  • None expected.
golang.org/x/sync v0.17.0 -> v0.18.0 — ✅ Safe

Summary:

  • No API removals; errgroup, singleflight, semaphore maintain compatibility.
  • Minor fixes and documentation improvements.

Potential areas to smoke-test:

  • Errgroup cancellation semantics when the first error is returned.
  • Semaphore acquisition/release under contention.

Code changes required:

  • None expected.
golang.org/x/sys v0.37.0 -> v0.38.0 — ✅ Safe

Summary:

  • Additions of new constants/structs and platform updates; no removals observed.
  • This package rarely introduces breaking changes in minor bumps.

Potential areas to smoke-test:

  • Platform-specific code paths (epoll/kqueue/ioctl/termios).
  • Filesystem/permissions and signal handling on Linux/BSD/Darwin/Windows.

Code changes required:

  • None expected.
golang.org/x/text v0.30.0 -> v0.31.0 — ✅ Safe

Summary:

  • Data/table updates (e.g., Unicode/CLDR refresh), no API removals indicated.
  • Security and correctness improvements in bidi/cases/runes packages are typical.

Potential areas to smoke-test:

  • Any bidi-sensitive rendering paths.
  • Case folding/normalization-sensitive logic.

Code changes required:

  • None expected.
golang.org/x/term v0.36.0 -> v0.37.0 (indirect) — ✅ Safe

Summary:

  • No API changes indicated; maintenance and platform constant updates.
  • Indirect dependency bump; validate only if you directly call term functions.

Code changes required:

  • None expected.

Notes

  • All updates are minor bumps within v0 modules from golang.org/x. Based on the release notes referenced above, no code changes are indicated.
  • Recommended to run existing integration tests that exercise:
    • x/net/http2 client/server flows
    • SSH auth/handshake using x/crypto/ssh
    • Terminal and syscalls on supported platforms
  • No net-new dependencies were introduced by the provided diff.

witekest
witekest reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

@witekest witekest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVSS Base Score: 7.5

Because of high severity it would be good to include it in 1.12.0 soon.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 9e3011e to 534c1f8 Compare November 14, 2025 15:28
@jharvey10
Copy link
Contributor

jharvey10 commented Nov 14, 2025

Once our OTel update gets merged in, I'll get this one merged as well before cutting the 1.12 RC.

@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed Nov 14, 2025
@renovate-sh-app renovate-sh-app bot closed this Nov 14, 2025
@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch November 14, 2025 18:34
@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed fix(deps): update module golang.org/x/crypto to v0.45.0 [security] Nov 20, 2025
@renovate-sh-app renovate-sh-app bot reopened this Nov 20, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 321b6e9 to 534c1f8 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 534c1f8 to 321b6e9 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from e9f5032 to b537c42 Compare November 20, 2025 18:37
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 57b754d to 613913f Compare November 21, 2025 00:25
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 7e93563 to 6c499ac Compare November 21, 2025 15:32
@renovate-sh-app
fix(deps): update module golang.org/x/crypto to v0.45.0 [security]
db253b2 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 6c499ac to db253b2 Compare November 21, 2025 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@witekest witekest witekest left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jharvey10 @witekest