Skip to content

[HIGH] fix: CVE-2025-47913 — bump golang.org/x/crypto#121

Open
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2025-47913-a79662df
Open

[HIGH] fix: CVE-2025-47913 — bump golang.org/x/crypto#121
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2025-47913-a79662df

Conversation

@pattern-security-automation

Supply Chain Vulnerability — Auto-Remediation PR

This PR was automatically generated by Pattern Security Automation.
Please review the dependency change and ensure CI passes before merging.


CVE Details

Field Value
CVE CVE-2025-47913
Severity HIGH
Repository patterninc/heimdall
Vulnerable package golang.org/x/crypto
Fixed version 0.43.0
Dependency type Direct
Previous version v0.42.0
Language go

What Changed

golang.org/x/crypto: v0.42.00.43.0

  • go.mod

Lock File Status

Lock file update failed — manual regen required

CI Validation

This PR relies on the repository's existing CI pipeline to validate that the
dependency update does not break tests. Please ensure all checks pass before merging.

False positive?

If you've reviewed this and the CVE is not actually exploitable here, add the
wiz-false-positive label to this PR before closing it. The auto-remediation
pipeline will record the false positive, stop re-flagging this CVE, and (if enabled)
mark it rejected in Wiz.

References


Auto-generated by Pattern Security Automation

CVE: CVE-2025-47913
Component: golang.org/x/crypto
Fixed version: 0.43.0
Manifest: go.mod
Dependency type: direct
@wiz-55ccc8b716

wiz-55ccc8b716 Bot commented Jul 14, 2026

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities 7 Critical 2 High 6 Medium
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total 7 Critical 2 High 6 Medium

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

Comment thread go.mod
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.42.0 // indirect
golang.org/x/crypto v0.43.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Vulnerability Finding

The following vulnerabilities impact golang.org/x/crypto versions <0.52.0: CVE-2025-47914, CVE-2025-58181, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-42508, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598.

These can be remediated by updating to version 0.52.0 or higher.

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Suggested change
golang.org/x/crypto v0.43.0 // indirect
golang.org/x/crypto v0.52.0 // indirect

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Go module dependency golang.org/x/crypto to the patched version addressing CVE-2025-47913, aligning the repo’s dependency graph with the recommended security remediation.

Changes:

  • Bumped golang.org/x/crypto from v0.42.0 to v0.43.0 in go.mod.
  • (Not included in this PR) go.sum was not regenerated as indicated by the PR description.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.42.0 // indirect
golang.org/x/crypto v0.43.0 // indirect
Comment thread go.mod
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.42.0 // indirect
golang.org/x/crypto v0.43.0 // indirect
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants