[HIGH] fix: CVE-2025-47913 — bump golang.org/x/crypto#121
[HIGH] fix: CVE-2025-47913 — bump golang.org/x/crypto#121Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
Conversation
CVE: CVE-2025-47913 Component: golang.org/x/crypto Fixed version: 0.43.0 Manifest: go.mod Dependency type: direct
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
| go.yaml.in/yaml/v2 v2.4.2 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.42.0 // indirect | ||
| golang.org/x/crypto v0.43.0 // indirect |
There was a problem hiding this comment.
The following vulnerabilities impact golang.org/x/crypto versions <0.52.0: CVE-2025-47914, CVE-2025-58181, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-42508, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598.
These can be remediated by updating to version 0.52.0 or higher.
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
| golang.org/x/crypto v0.43.0 // indirect | |
| golang.org/x/crypto v0.52.0 // indirect |
There was a problem hiding this comment.
Pull request overview
Updates the Go module dependency golang.org/x/crypto to the patched version addressing CVE-2025-47913, aligning the repo’s dependency graph with the recommended security remediation.
Changes:
- Bumped
golang.org/x/cryptofromv0.42.0tov0.43.0ingo.mod. - (Not included in this PR)
go.sumwas not regenerated as indicated by the PR description.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| go.yaml.in/yaml/v2 v2.4.2 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.42.0 // indirect | ||
| golang.org/x/crypto v0.43.0 // indirect |
| go.yaml.in/yaml/v2 v2.4.2 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.42.0 // indirect | ||
| golang.org/x/crypto v0.43.0 // indirect |
Supply Chain Vulnerability — Auto-Remediation PR
CVE Details
CVE-2025-47913patterninc/heimdallgolang.org/x/crypto0.43.0v0.42.0What Changed
golang.org/x/crypto:
v0.42.0→0.43.0go.modLock File Status
Lock file update failed — manual regen required
CI Validation
False positive?
References
Auto-generated by Pattern Security Automation