Skip to content

[NPM] [Vulnerability] Resolve ghsa-fv92-fjc5-jj9h Vulnerability #3767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 30, 2025
Merged

[NPM] [Vulnerability] Resolve ghsa-fv92-fjc5-jj9h Vulnerability #3767

merged 1 commit into from
Jun 30, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Jun 30, 2025
edited
Loading

Reason for Change:
Resolves ghsa-fv92-fjc5-jj9h Vulnerability present in the github.com/go-viper/mapstructure/v2 v2.2.1 package in the current v1.6.26 version.

Other CVEs resolved in #3763.

mcr.microsoft.com/containernetworking/azure-npm:v1.6.26 (ubuntu 24.04)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬───────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                   Title                   │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼───────────────────────────────────────────┤
│ libpam-modules     │ CVE-2025-6020 │ MEDIUM   │ fixed  │ 1.5.3-5ubuntu5.1  │ 1.5.3-5ubuntu5.4 │ linux-pam: Linux-pam directory Traversal  │
│                    │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-6020 │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-modules-bin │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-runtime     │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam0g           │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴───────────────────────────────────────────┘

usr/bin/azure-npm (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-fv92-fjc5-jj9h │ MEDIUM   │ fixed  │ v2.2.1            │ 2.3.0         │ mapstructure May Leak Sensitive Information in Logs When │
│                                     │                     │          │        │                   │               │ Processing Malformed Data                                │
│                                     │                     │          │        │                   │               │ https://github.com/advisories/GHSA-fv92-fjc5-jj9h        │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

acnpublic.azurecr.io/azure-npm:v1.6.27New2 (ubuntu 24.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:

Copilot AI review requested due to automatic review settings June 30, 2025 16:13
@rayaisaiah rayaisaiah requested review from a team as code owners June 30, 2025 16:13
@rayaisaiah rayaisaiah requested a review from matmerr June 30, 2025 16:13
@rayaisaiah rayaisaiah added the npm Related to NPM. label Jun 30, 2025
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR resolves the GHSA-fv92-fjc5-jj9h vulnerability by updating package versions and dependencies, as well as moving to a newer base image. Key changes include:

  • Updating the base image in npm/linux.Dockerfile from Ubuntu 20.04 to 24.04 and pinning related package versions.
  • Changing the IP_TAG value in hack/aks/Makefile.
  • Bumping the version of github.com/go-viper/mapstructure/v2 in go.mod from v2.2.1 to v2.3.0.

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
npm/linux.Dockerfile Updated base image to Ubuntu 24.04 and installed pinned package versions for fixes
hack/aks/Makefile Modified the IP_TAG value to match the appropriate non-production setting
go.mod Upgraded github.com/go-viper/mapstructure/v2 to a fixed version for vulnerability resolution

@rayaisaiah rayaisaiah changed the base branch from master to release/v1.6 June 30, 2025 16:16
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 30, 2025

/azp run Azure Container Networking PR

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 30, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah enabled auto-merge (squash) June 30, 2025 16:21
@rayaisaiah rayaisaiah merged commit 1ba39f7 into release/v1.6 Jun 30, 2025
6 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/fix-GHSA-fv92-fjc5-jj9h branch June 30, 2025 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vakalapa vakalapa vakalapa approved these changes

@matmerr matmerr Awaiting requested review from matmerr matmerr was automatically assigned from Azure/acn-npm-reviewers

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rayaisaiah @vakalapa