Skip to content

chore(deps): update go toolchain directive to v1.25.12 [security]#150

Open
felix-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang-version-go-vulnerability
Open

chore(deps): update go toolchain directive to v1.25.12 [security]#150
felix-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang-version-go-vulnerability

Conversation

@felix-renovate

@felix-renovate felix-renovate Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
go (source) toolchain patch 1.25.101.25.12

Inefficient candidate hostname parsing in crypto/x509

BIT-golang-2026-27145 / CVE-2026-27145 / GO-2026-5037

More information

Details

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Quadratic complexity in WordDecoder.DecodeHeader in mime

BIT-golang-2026-42504 / CVE-2026-42504 / GO-2026-5038

More information

Details

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Arbitrary inputs are included in errors without any escaping in net/textproto

BIT-golang-2026-42507 / CVE-2026-42507 / GO-2026-5039

More information

Details

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Root escape via symlink plus trailing slash in os

CVE-2026-39822 / GO-2026-4970

More information

Details

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.

For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking Encrypted Client Hello privacy leak in crypto/tls

CVE-2026-42505 / GO-2026-5856

More information

Details

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@felix-renovate felix-renovate Bot requested a review from a team as a code owner June 4, 2026 19:04
@felix-renovate felix-renovate Bot added the felix label Jun 4, 2026
@felix-renovate felix-renovate Bot changed the title chore(deps): update go toolchain directive to v1.25.11 [security] chore(deps): update go toolchain directive to v1.25.12 [security] Jul 14, 2026
@felix-renovate felix-renovate Bot force-pushed the renovate/golang-version-go-vulnerability branch from 85e1fd8 to c517a4c Compare July 14, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants