Skip to content

Bump github.com/go-sql-driver/mysql to v1.10.0 (clears CVE-2026-26958 / edwards25519 scanner flags) #994

Description

@yhzs8

markdown### Summary

The current sqlx release (v1.4.0) requires github.com/go-sql-driver/mysql v1.8.1, which transitively pulls in filippo.io/edwards25519 v1.1.0. That version of edwards25519 is flagged by CVE-2026-26958. Bumping the driver to v1.10.0 (current latest) resolves the flag, since go-sql-driver/mysql has already moved to a fixed edwards25519.

Details

  • CVE-2026-26958 affects filippo.io/edwards25519 ≤ v1.1.0: (*Point).MultiScalarMult returns an incorrect result (or undefined behavior) when the receiver is not the identity point. Fixed in v1.1.1. Severity is low (CVSS 1.7).
  • go-sql-driver/mysql v1.8.1 → edwards25519 v1.1.0 (flagged).
  • go-sql-driver/mysql v1.10.0 → edwards25519 v1.2.0 (updated to v1.1.1 in Update edwards25519 dependency to v1.1.1 go-sql-driver/mysql#1749, then bumped to v1.2.0 in #1756). Not flagged.

On actual impact

For full disclosure: CVE-2026-26958 explicitly states that consumers who reach edwards25519 only through github.com/go-sql-driver/mysql are not affected — the driver never calls the vulnerable MultiScalarMult API. Symbol-reachability scanners such as govulncheck correctly report no vulnerability for sqlx today.

The practical issue is the many SCA/dependency scanners (Dependabot and other module-level matchers) that flag any dependency graph containing edwards25519 ≤ v1.1.0 regardless of symbol reachability. These produce recurring false positives for every project that depends on sqlx. Since go-sql-driver/mysql has already shipped a fixed version, updating the requirement here is a low-risk way to keep those downstream scans clean — it's really just keeping a direct dependency current, with the CVE noise going away as a side effect.

Suggested change

In go.mod, update github.com/go-sql-driver/mysql to v1.10.0 and run go mod tidy.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions