[Security] Review & Fix Multiple CVEs affecting Go standard librariesΒ #8698
Description
π Security Vulnerability Review β Go Standard Library CVEs
Several CVEs affecting Go standard libraries have been identified. We are requesting confirmation on whether Temporal is impacted, and if any patches or mitigations are already planned or required.
π List of CVEs
| CVE ID | Description |
|---|---|
| CVE-2025-47912 | Parse() incorrectly allows non-IPv6 values inside square brackets in URL host (RFC 3986 violation). |
| CVE-2025-58185 | Malicious DER payloads may allocate excessive memory, leading to memory exhaustion. |
| CVE-2025-58186 | Unlimited cookie parsing may result in high memory usage when many small cookies are sent. |
| CVE-2025-58187 | Name constraint checking scales non-linearly with certificate size β potential performance issue. |
| CVE-2025-58188 | DSA-based certificate validation may cause program panic due to unsafe interface casting. |
| CVE-2025-58189 | Conn.Handshake may leak attacker-controlled ALPN protocol values without escaping. |
| CVE-2025-61724 | Reader.ReadResponse() uses repeated string concatenation, leading to high CPU usage. |
| CVE-2025-61725 | ParseAddress() repeatedly concatenates domain literals, causing CPU performance impact. |
π§ͺ Suggested Code Areas to Review
The installed version is 1.25.0, and as per the patch advisory, it should be upgraded to 1.25.3 to address the issue.