Skip to content

fix: Update dependencies to resolve 8 security vulnerabilities (1 critical, 2 high, 5 medium) #844

New issue
New issue
Open
#860
Open
fix: Update dependencies to resolve 8 security vulnerabilities (1 critical, 2 high, 5 medium)#844
#860
@corylanou

Description

@corylanou
corylanou
opened on Nov 18, 2025

Summary

Dependabot has identified 8 security vulnerabilities in our dependencies that need to be addressed:

  • 1 critical severity
  • 2 high severity
  • 5 medium severity

See: https://github.com/benbjohnson/litestream/security/dependabot

Vulnerabilities by Package

Critical

golang.org/x/crypto - CVE-2024-45337 (Alert #25)

  • Issue: Authorization bypass via ServerConfig.PublicKeyCallback misuse
  • Current: v0.41.0 (appears already patched)
  • Required: v0.31.0+

High

golang.org/x/oauth2 - CVE-2025-22868 (Alert #31)

  • Issue: Improper validation of syntactic correctness of input
  • Current: v0.15.0
  • Required: v0.27.0

golang.org/x/crypto - CVE-2025-22869 (Alert #29)

  • Issue: DoS via slow or incomplete key exchange
  • Current: v0.41.0 (appears already patched)
  • Required: v0.35.0+

Medium

golang.org/x/net - CVE-2025-22872 (Alert #30)

  • Issue: Cross-site scripting vulnerability
  • Current: v0.43.0 (appears already patched)
  • Required: v0.38.0+

golang.org/x/net - CVE-2025-22870 (Alert #28)

  • Issue: HTTP proxy bypass using IPv6 Zone IDs
  • Current: v0.43.0 (appears already patched)
  • Required: v0.36.0+

filippo.io/age - GHSA-32gq-x56h-299c (Alert #26)

  • Issue: Malicious plugin names causing arbitrary binary execution
  • Current: v1.1.1
  • Required: v1.2.1

golang.org/x/net - CVE-2023-45288 (Alert #24)

  • Issue: HTTP/2 header handling (close connections with too many headers)
  • Current: v0.43.0 (appears already patched)
  • Required: v0.23.0+

google.golang.org/protobuf - CVE-2024-24786 (Alert #23)

  • Issue: Infinite loop in protojson.Unmarshal with invalid JSON
  • Current: v1.31.0
  • Required: v1.33.0

Packages Requiring Updates

  1. filippo.io/age: v1.1.1 → v1.2.1
  2. golang.org/x/oauth2: v0.15.0 → v0.27.0
  3. google.golang.org/protobuf: v1.31.0 → v1.33.0

Note: golang.org/x/crypto (v0.41.0) and golang.org/x/net (v0.43.0) appear to already be above the required patch versions, but Dependabot is still flagging them. This should resolve after updating other dependencies and running go mod tidy.

Suggested Fix

go get filippo.io/[email protected]
go get golang.org/x/[email protected]
go get google.golang.org/[email protected]
go mod tidy

Verify all tests pass and dependencies are correctly resolved.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions